diff --git a/cvrf_cves.json b/cvrf_cves.json
new file mode 100644
index 0000000..98681a1
--- /dev/null
+++ b/cvrf_cves.json
@@ -0,0 +1,9412 @@
+{
+  "CVE-2022-27239": {
+    "id": "CVE-2022-27239",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27239",
+    "severity": "Medium"
+  },
+  "CVE-2022-3715": {
+    "id": "CVE-2022-3715",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3715",
+    "severity": "Low"
+  },
+  "CVE-2021-41079": {
+    "id": "CVE-2021-41079",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41079",
+    "severity": "High"
+  },
+  "CVE-2022-24795": {
+    "id": "CVE-2022-24795",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24795",
+    "severity": "High"
+  },
+  "CVE-2022-1725": {
+    "id": "CVE-2022-1725",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1725",
+    "severity": "Low"
+  },
+  "CVE-2024-21886": {
+    "id": "CVE-2024-21886",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21886",
+    "severity": "High"
+  },
+  "CVE-2021-45486": {
+    "id": "CVE-2021-45486",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45486",
+    "severity": "Low"
+  },
+  "CVE-2022-33068": {
+    "id": "CVE-2022-33068",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33068",
+    "severity": "Medium"
+  },
+  "CVE-2021-40145": {
+    "id": "CVE-2021-40145",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40145",
+    "severity": "High"
+  },
+  "CVE-2023-45862": {
+    "id": "CVE-2023-45862",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45862",
+    "severity": "High"
+  },
+  "CVE-2021-34337": {
+    "id": "CVE-2021-34337",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34337",
+    "severity": "High"
+  },
+  "CVE-2024-26625": {
+    "id": "CVE-2024-26625",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625",
+    "severity": "Low"
+  },
+  "CVE-2022-3479": {
+    "id": "CVE-2022-3479",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
+    "severity": "High"
+  },
+  "CVE-2021-36980": {
+    "id": "CVE-2021-36980",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36980",
+    "severity": "Medium"
+  },
+  "CVE-2021-22898": {
+    "id": "CVE-2021-22898",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898",
+    "severity": "Low"
+  },
+  "CVE-2022-39377": {
+    "id": "CVE-2022-39377",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39377",
+    "severity": "Critical"
+  },
+  "CVE-2021-32740": {
+    "id": "CVE-2021-32740",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740",
+    "severity": "High"
+  },
+  "CVE-2020-14347": {
+    "id": "CVE-2020-14347",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14347",
+    "severity": "High"
+  },
+  "CVE-2023-40589": {
+    "id": "CVE-2023-40589",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40589",
+    "severity": "High"
+  },
+  "CVE-2023-27349": {
+    "id": "CVE-2023-27349",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27349",
+    "severity": "High"
+  },
+  "CVE-2022-21797": {
+    "id": "CVE-2022-21797",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21797",
+    "severity": "High"
+  },
+  "CVE-2023-24580": {
+    "id": "CVE-2023-24580",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24580",
+    "severity": "High"
+  },
+  "CVE-2023-51714": {
+    "id": "CVE-2023-51714",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714",
+    "severity": "Critical"
+  },
+  "CVE-2020-12867": {
+    "id": "CVE-2020-12867",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12867",
+    "severity": "Medium"
+  },
+  "CVE-2020-26945": {
+    "id": "CVE-2020-26945",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26945",
+    "severity": "High"
+  },
+  "CVE-2020-24659": {
+    "id": "CVE-2020-24659",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24659",
+    "severity": "High"
+  },
+  "CVE-2021-3933": {
+    "id": "CVE-2021-3933",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3933",
+    "severity": "Medium"
+  },
+  "CVE-2023-50229": {
+    "id": "CVE-2023-50229",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50229",
+    "severity": "High"
+  },
+  "CVE-2024-36964": {
+    "id": "CVE-2024-36964",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964",
+    "severity": "Medium"
+  },
+  "CVE-2021-28957": {
+    "id": "CVE-2021-28957",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28957",
+    "severity": "Medium"
+  },
+  "CVE-2024-28103": {
+    "id": "CVE-2024-28103",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28103",
+    "severity": "Medium"
+  },
+  "CVE-2023-45322": {
+    "id": "CVE-2023-45322",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45322",
+    "severity": "Medium"
+  },
+  "CVE-2024-22195": {
+    "id": "CVE-2024-22195",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195",
+    "severity": "Medium"
+  },
+  "CVE-2020-36280": {
+    "id": "CVE-2020-36280",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36280",
+    "severity": "High"
+  },
+  "CVE-2022-46663": {
+    "id": "CVE-2022-46663",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46663",
+    "severity": "Medium"
+  },
+  "CVE-2022-4338": {
+    "id": "CVE-2022-4338",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4338",
+    "severity": "Medium"
+  },
+  "CVE-2021-42008": {
+    "id": "CVE-2021-42008",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42008",
+    "severity": "Medium"
+  },
+  "CVE-2022-37966": {
+    "id": "CVE-2022-37966",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37966",
+    "severity": "High"
+  },
+  "CVE-2023-52735": {
+    "id": "CVE-2023-52735",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52735",
+    "severity": "Low"
+  },
+  "CVE-2022-36033": {
+    "id": "CVE-2022-36033",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36033",
+    "severity": "Medium"
+  },
+  "CVE-2023-1981": {
+    "id": "CVE-2023-1981",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1981",
+    "severity": "Medium"
+  },
+  "CVE-2024-31081": {
+    "id": "CVE-2024-31081",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
+    "severity": "High"
+  },
+  "CVE-2023-44271": {
+    "id": "CVE-2023-44271",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44271",
+    "severity": "High"
+  },
+  "CVE-2022-44940": {
+    "id": "CVE-2022-44940",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44940",
+    "severity": "Critical"
+  },
+  "CVE-2021-3973": {
+    "id": "CVE-2021-3973",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3973",
+    "severity": "High"
+  },
+  "CVE-2022-1615": {
+    "id": "CVE-2022-1615",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1615",
+    "severity": "Medium"
+  },
+  "CVE-2021-44716": {
+    "id": "CVE-2021-44716",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716",
+    "severity": "High"
+  },
+  "CVE-2020-0452": {
+    "id": "CVE-2020-0452",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0452",
+    "severity": "Critical"
+  },
+  "CVE-2021-41771": {
+    "id": "CVE-2021-41771",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
+    "severity": "Medium"
+  },
+  "CVE-2022-41861": {
+    "id": "CVE-2022-41861",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41861",
+    "severity": "High"
+  },
+  "CVE-2022-29155": {
+    "id": "CVE-2022-29155",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29155",
+    "severity": "Critical"
+  },
+  "CVE-2023-36328": {
+    "id": "CVE-2023-36328",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36328",
+    "severity": "Critical"
+  },
+  "CVE-2020-7060": {
+    "id": "CVE-2020-7060",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7060",
+    "severity": "Critical"
+  },
+  "CVE-2022-1114": {
+    "id": "CVE-2022-1114",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1114",
+    "severity": "High"
+  },
+  "CVE-2022-30699": {
+    "id": "CVE-2022-30699",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30699",
+    "severity": "Medium"
+  },
+  "CVE-2020-25664": {
+    "id": "CVE-2020-25664",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25664",
+    "severity": "Low"
+  },
+  "CVE-2022-37704": {
+    "id": "CVE-2022-37704",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37704",
+    "severity": "Medium"
+  },
+  "CVE-2021-41496": {
+    "id": "CVE-2021-41496",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41496",
+    "severity": "High"
+  },
+  "CVE-2022-4129": {
+    "id": "CVE-2022-4129",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4129",
+    "severity": "Medium"
+  },
+  "CVE-2022-40617": {
+    "id": "CVE-2022-40617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40617",
+    "severity": "Medium"
+  },
+  "CVE-2023-4389": {
+    "id": "CVE-2023-4389",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4389",
+    "severity": "Medium"
+  },
+  "CVE-2023-3180": {
+    "id": "CVE-2023-3180",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3180",
+    "severity": "Medium"
+  },
+  "CVE-2022-44370": {
+    "id": "CVE-2022-44370",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44370",
+    "severity": "High"
+  },
+  "CVE-2022-38784": {
+    "id": "CVE-2022-38784",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38784",
+    "severity": "High"
+  },
+  "CVE-2020-24241": {
+    "id": "CVE-2020-24241",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24241",
+    "severity": "High"
+  },
+  "CVE-2022-47943": {
+    "id": "CVE-2022-47943",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47943",
+    "severity": "Medium"
+  },
+  "CVE-2021-33658": {
+    "id": "CVE-2021-33658",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33658",
+    "severity": "High"
+  },
+  "CVE-2021-25786": {
+    "id": "CVE-2021-25786",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25786",
+    "severity": "High"
+  },
+  "CVE-2021-42550": {
+    "id": "CVE-2021-42550",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42550",
+    "severity": "Medium"
+  },
+  "CVE-2024-24474": {
+    "id": "CVE-2024-24474",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24474",
+    "severity": "High"
+  },
+  "CVE-2023-26769": {
+    "id": "CVE-2023-26769",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26769",
+    "severity": "High"
+  },
+  "CVE-2023-34432": {
+    "id": "CVE-2023-34432",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34432",
+    "severity": "Medium"
+  },
+  "CVE-2021-3671": {
+    "id": "CVE-2021-3671",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3671",
+    "severity": "Medium"
+  },
+  "CVE-2024-3657": {
+    "id": "CVE-2024-3657",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3657",
+    "severity": "Medium"
+  },
+  "CVE-2022-3202": {
+    "id": "CVE-2022-3202",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3202",
+    "severity": "High"
+  },
+  "CVE-2021-3549": {
+    "id": "CVE-2021-3549",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549",
+    "severity": "High"
+  },
+  "CVE-2022-35737": {
+    "id": "CVE-2022-35737",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737",
+    "severity": "High"
+  },
+  "CVE-2022-0216": {
+    "id": "CVE-2022-0216",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0216",
+    "severity": "Medium"
+  },
+  "CVE-2022-2719": {
+    "id": "CVE-2022-2719",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2719",
+    "severity": "Medium"
+  },
+  "CVE-2024-23849": {
+    "id": "CVE-2024-23849",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+    "severity": "Medium"
+  },
+  "CVE-2022-48502": {
+    "id": "CVE-2022-48502",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502",
+    "severity": "High"
+  },
+  "CVE-2022-39028": {
+    "id": "CVE-2022-39028",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+    "severity": "High"
+  },
+  "CVE-2023-45285": {
+    "id": "CVE-2023-45285",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45285",
+    "severity": "Medium"
+  },
+  "CVE-2021-28711": {
+    "id": "CVE-2021-28711",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28711",
+    "severity": "Low"
+  },
+  "CVE-2024-25062": {
+    "id": "CVE-2024-25062",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062",
+    "severity": "High"
+  },
+  "CVE-2023-3138": {
+    "id": "CVE-2023-3138",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138",
+    "severity": "Medium"
+  },
+  "CVE-2021-33037": {
+    "id": "CVE-2021-33037",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33037",
+    "severity": "Medium"
+  },
+  "CVE-2021-23169": {
+    "id": "CVE-2021-23169",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23169",
+    "severity": "Medium"
+  },
+  "CVE-2022-0778": {
+    "id": "CVE-2022-0778",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
+    "severity": "High"
+  },
+  "CVE-2020-24612": {
+    "id": "CVE-2020-24612",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24612",
+    "severity": "Medium"
+  },
+  "CVE-2024-24899": {
+    "id": "CVE-2024-24899",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24899",
+    "severity": "High"
+  },
+  "CVE-2021-44225": {
+    "id": "CVE-2021-44225",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44225",
+    "severity": "Medium"
+  },
+  "CVE-2020-8178": {
+    "id": "CVE-2020-8178",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8178",
+    "severity": "Critical"
+  },
+  "CVE-2021-25220": {
+    "id": "CVE-2021-25220",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25220",
+    "severity": "High"
+  },
+  "CVE-2023-45234": {
+    "id": "CVE-2023-45234",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45234",
+    "severity": "Medium"
+  },
+  "CVE-2022-24761": {
+    "id": "CVE-2022-24761",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24761",
+    "severity": "High"
+  },
+  "CVE-2023-28711": {
+    "id": "CVE-2023-28711",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28711",
+    "severity": "Medium"
+  },
+  "CVE-2023-5371": {
+    "id": "CVE-2023-5371",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5371",
+    "severity": "Medium"
+  },
+  "CVE-2023-30577": {
+    "id": "CVE-2023-30577",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30577",
+    "severity": "High"
+  },
+  "CVE-2023-26552": {
+    "id": "CVE-2023-26552",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26552",
+    "severity": "Medium"
+  },
+  "CVE-2020-28241": {
+    "id": "CVE-2020-28241",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28241",
+    "severity": "Medium"
+  },
+  "CVE-2022-48337": {
+    "id": "CVE-2022-48337",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48337",
+    "severity": "High"
+  },
+  "CVE-2023-39328": {
+    "id": "CVE-2023-39328",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39328",
+    "severity": "Medium"
+  },
+  "CVE-2022-21363": {
+    "id": "CVE-2022-21363",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21363",
+    "severity": "Medium"
+  },
+  "CVE-2023-40305": {
+    "id": "CVE-2023-40305",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40305",
+    "severity": "High"
+  },
+  "CVE-2021-32280": {
+    "id": "CVE-2021-32280",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32280",
+    "severity": "Medium"
+  },
+  "CVE-2022-3239": {
+    "id": "CVE-2022-3239",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239",
+    "severity": "High"
+  },
+  "CVE-2019-16319": {
+    "id": "CVE-2019-16319",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16319",
+    "severity": "High"
+  },
+  "CVE-2023-49083": {
+    "id": "CVE-2023-49083",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49083",
+    "severity": "Critical"
+  },
+  "CVE-2021-38294": {
+    "id": "CVE-2021-38294",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38294",
+    "severity": "Critical"
+  },
+  "CVE-2023-4016": {
+    "id": "CVE-2023-4016",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4016",
+    "severity": "Medium"
+  },
+  "CVE-2022-3551": {
+    "id": "CVE-2022-3551",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3551",
+    "severity": "High"
+  },
+  "CVE-2023-48237": {
+    "id": "CVE-2023-48237",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237",
+    "severity": "Low"
+  },
+  "CVE-2023-31436": {
+    "id": "CVE-2023-31436",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436",
+    "severity": "High"
+  },
+  "CVE-2021-46828": {
+    "id": "CVE-2021-46828",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46828",
+    "severity": "High"
+  },
+  "CVE-2024-2002": {
+    "id": "CVE-2024-2002",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+    "severity": "High"
+  },
+  "CVE-2023-52323": {
+    "id": "CVE-2023-52323",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52323",
+    "severity": "Medium"
+  },
+  "CVE-2022-23633": {
+    "id": "CVE-2022-23633",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+    "severity": "Medium"
+  },
+  "CVE-2023-7250": {
+    "id": "CVE-2023-7250",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7250",
+    "severity": "Medium"
+  },
+  "CVE-2021-3608": {
+    "id": "CVE-2021-3608",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3608",
+    "severity": "Medium"
+  },
+  "CVE-2022-29458": {
+    "id": "CVE-2022-29458",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458",
+    "severity": "High"
+  },
+  "CVE-2019-17570": {
+    "id": "CVE-2019-17570",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17570",
+    "severity": "Critical"
+  },
+  "CVE-2022-30293": {
+    "id": "CVE-2022-30293",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30293",
+    "severity": "Critical"
+  },
+  "CVE-2024-4340": {
+    "id": "CVE-2024-4340",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340",
+    "severity": "High"
+  },
+  "CVE-2023-50495": {
+    "id": "CVE-2023-50495",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495",
+    "severity": "Medium"
+  },
+  "CVE-2024-36008": {
+    "id": "CVE-2024-36008",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008",
+    "severity": "Medium"
+  },
+  "CVE-2022-0729": {
+    "id": "CVE-2022-0729",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0729",
+    "severity": "Medium"
+  },
+  "CVE-2021-24122": {
+    "id": "CVE-2021-24122",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24122",
+    "severity": "Medium"
+  },
+  "CVE-2020-16592": {
+    "id": "CVE-2020-16592",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16592",
+    "severity": "Medium"
+  },
+  "CVE-2022-1304": {
+    "id": "CVE-2022-1304",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304",
+    "severity": "High"
+  },
+  "CVE-2022-40896": {
+    "id": "CVE-2022-40896",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40896",
+    "severity": "Medium"
+  },
+  "CVE-2019-13619": {
+    "id": "CVE-2019-13619",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13619",
+    "severity": "High"
+  },
+  "CVE-2023-51713": {
+    "id": "CVE-2023-51713",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51713",
+    "severity": "High"
+  },
+  "CVE-2022-3491": {
+    "id": "CVE-2022-3491",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3491",
+    "severity": "High"
+  },
+  "CVE-2024-26595": {
+    "id": "CVE-2024-26595",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+    "severity": "Medium"
+  },
+  "CVE-2024-37894": {
+    "id": "CVE-2024-37894",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37894",
+    "severity": "Medium"
+  },
+  "CVE-2021-36976": {
+    "id": "CVE-2021-36976",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36976",
+    "severity": "Medium"
+  },
+  "CVE-2022-2132": {
+    "id": "CVE-2022-2132",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2132",
+    "severity": "High"
+  },
+  "CVE-2024-26141": {
+    "id": "CVE-2024-26141",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
+    "severity": "High"
+  },
+  "CVE-2024-21742": {
+    "id": "CVE-2024-21742",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+    "severity": "Medium"
+  },
+  "CVE-2023-38712": {
+    "id": "CVE-2023-38712",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38712",
+    "severity": "Medium"
+  },
+  "CVE-2023-38037": {
+    "id": "CVE-2023-38037",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38037",
+    "severity": "Low"
+  },
+  "CVE-2023-31975": {
+    "id": "CVE-2023-31975",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+    "severity": "Low"
+  },
+  "CVE-2016-5007": {
+    "id": "CVE-2016-5007",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5007",
+    "severity": "High"
+  },
+  "CVE-2020-27830": {
+    "id": "CVE-2020-27830",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27830",
+    "severity": "High"
+  },
+  "CVE-2024-21094": {
+    "id": "CVE-2024-21094",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21094",
+    "severity": "Low"
+  },
+  "CVE-2023-0433": {
+    "id": "CVE-2023-0433",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0433",
+    "severity": "High"
+  },
+  "CVE-2024-3019": {
+    "id": "CVE-2024-3019",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3019",
+    "severity": "High"
+  },
+  "CVE-2023-4387": {
+    "id": "CVE-2023-4387",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4387",
+    "severity": "High"
+  },
+  "CVE-2024-22099": {
+    "id": "CVE-2024-22099",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099",
+    "severity": "High"
+  },
+  "CVE-2024-38601": {
+    "id": "CVE-2024-38601",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38601",
+    "severity": "Medium"
+  },
+  "CVE-2020-13114": {
+    "id": "CVE-2020-13114",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13114",
+    "severity": "High"
+  },
+  "CVE-2020-11762": {
+    "id": "CVE-2020-11762",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11762",
+    "severity": "Medium"
+  },
+  "CVE-2021-3748": {
+    "id": "CVE-2021-3748",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3748",
+    "severity": "High"
+  },
+  "CVE-2021-28153": {
+    "id": "CVE-2021-28153",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28153",
+    "severity": "Medium"
+  },
+  "CVE-2023-1382": {
+    "id": "CVE-2023-1382",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382",
+    "severity": "Medium"
+  },
+  "CVE-2021-30560": {
+    "id": "CVE-2021-30560",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30560",
+    "severity": "High"
+  },
+  "CVE-2021-39293": {
+    "id": "CVE-2021-39293",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39293",
+    "severity": "High"
+  },
+  "CVE-2024-6126": {
+    "id": "CVE-2024-6126",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6126",
+    "severity": "Low"
+  },
+  "CVE-2020-11988": {
+    "id": "CVE-2020-11988",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11988",
+    "severity": "High"
+  },
+  "CVE-2023-33201": {
+    "id": "CVE-2023-33201",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201",
+    "severity": "Low"
+  },
+  "CVE-2023-35828": {
+    "id": "CVE-2023-35828",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
+    "severity": "Medium"
+  },
+  "CVE-2022-2735": {
+    "id": "CVE-2022-2735",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2735",
+    "severity": "High"
+  },
+  "CVE-2023-20900": {
+    "id": "CVE-2023-20900",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20900",
+    "severity": "Low"
+  },
+  "CVE-2023-37369": {
+    "id": "CVE-2023-37369",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369",
+    "severity": "High"
+  },
+  "CVE-2021-31348": {
+    "id": "CVE-2021-31348",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31348",
+    "severity": "Medium"
+  },
+  "CVE-2023-4623": {
+    "id": "CVE-2023-4623",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4623",
+    "severity": "High"
+  },
+  "CVE-2021-23240": {
+    "id": "CVE-2021-23240",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23240",
+    "severity": "High"
+  },
+  "CVE-2020-17489": {
+    "id": "CVE-2020-17489",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17489",
+    "severity": "Medium"
+  },
+  "CVE-2022-29599": {
+    "id": "CVE-2022-29599",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599",
+    "severity": "Critical"
+  },
+  "CVE-2022-4415": {
+    "id": "CVE-2022-4415",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415",
+    "severity": "Medium"
+  },
+  "CVE-2023-1513": {
+    "id": "CVE-2023-1513",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513",
+    "severity": "Medium"
+  },
+  "CVE-2024-4855": {
+    "id": "CVE-2024-4855",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4855",
+    "severity": "Medium"
+  },
+  "CVE-2023-32251": {
+    "id": "CVE-2023-32251",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32251",
+    "severity": "Medium"
+  },
+  "CVE-2022-29486": {
+    "id": "CVE-2022-29486",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29486",
+    "severity": "Critical"
+  },
+  "CVE-2021-21290": {
+    "id": "CVE-2021-21290",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
+    "severity": "Medium"
+  },
+  "CVE-2024-40997": {
+    "id": "CVE-2024-40997",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40997",
+    "severity": "Medium"
+  },
+  "CVE-2022-22942": {
+    "id": "CVE-2022-22942",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22942",
+    "severity": "High"
+  },
+  "CVE-2023-27538": {
+    "id": "CVE-2023-27538",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27538",
+    "severity": "Medium"
+  },
+  "CVE-2023-30772": {
+    "id": "CVE-2023-30772",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30772",
+    "severity": "Medium"
+  },
+  "CVE-2022-2521": {
+    "id": "CVE-2022-2521",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2521",
+    "severity": "Medium"
+  },
+  "CVE-2022-48565": {
+    "id": "CVE-2022-48565",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565",
+    "severity": "Critical"
+  },
+  "CVE-2022-1280": {
+    "id": "CVE-2022-1280",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1280",
+    "severity": "Critical"
+  },
+  "CVE-2021-22885": {
+    "id": "CVE-2021-22885",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22885",
+    "severity": "High"
+  },
+  "CVE-2024-28835": {
+    "id": "CVE-2024-28835",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28835",
+    "severity": "Medium"
+  },
+  "CVE-2021-3487": {
+    "id": "CVE-2021-3487",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3487",
+    "severity": "Medium"
+  },
+  "CVE-2023-5717": {
+    "id": "CVE-2023-5717",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
+    "severity": "Medium"
+  },
+  "CVE-2024-38428": {
+    "id": "CVE-2024-38428",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38428",
+    "severity": "Medium"
+  },
+  "CVE-2021-0561": {
+    "id": "CVE-2021-0561",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0561",
+    "severity": "Medium"
+  },
+  "CVE-2022-48759": {
+    "id": "CVE-2022-48759",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48759",
+    "severity": "Low"
+  },
+  "CVE-2023-7104": {
+    "id": "CVE-2023-7104",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7104",
+    "severity": "Medium"
+  },
+  "CVE-2019-3828": {
+    "id": "CVE-2019-3828",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3828",
+    "severity": "Medium"
+  },
+  "CVE-2024-27398": {
+    "id": "CVE-2024-27398",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398",
+    "severity": "Low"
+  },
+  "CVE-2021-29477": {
+    "id": "CVE-2021-29477",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29477",
+    "severity": "High"
+  },
+  "CVE-2024-0727": {
+    "id": "CVE-2024-0727",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+    "severity": "High"
+  },
+  "CVE-2021-20193": {
+    "id": "CVE-2021-20193",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20193",
+    "severity": "Medium"
+  },
+  "CVE-2021-4202": {
+    "id": "CVE-2021-4202",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4202",
+    "severity": "Medium"
+  },
+  "CVE-2022-43548": {
+    "id": "CVE-2022-43548",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43548",
+    "severity": "High"
+  },
+  "CVE-2020-2806": {
+    "id": "CVE-2020-2806",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2806",
+    "severity": "Medium"
+  },
+  "CVE-2022-1622": {
+    "id": "CVE-2022-1622",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1622",
+    "severity": "Medium"
+  },
+  "CVE-2020-26575": {
+    "id": "CVE-2020-26575",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26575",
+    "severity": "High"
+  },
+  "CVE-2021-36386": {
+    "id": "CVE-2021-36386",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36386",
+    "severity": "High"
+  },
+  "CVE-2023-52076": {
+    "id": "CVE-2023-52076",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+    "severity": "High"
+  },
+  "CVE-2020-27748": {
+    "id": "CVE-2020-27748",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27748",
+    "severity": "Medium"
+  },
+  "CVE-2024-39489": {
+    "id": "CVE-2024-39489",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489",
+    "severity": "Low"
+  },
+  "CVE-2021-33391": {
+    "id": "CVE-2021-33391",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33391",
+    "severity": "Critical"
+  },
+  "CVE-2022-20792": {
+    "id": "CVE-2022-20792",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20792",
+    "severity": "High"
+  },
+  "CVE-2023-23969": {
+    "id": "CVE-2023-23969",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969",
+    "severity": "High"
+  },
+  "CVE-2022-41556": {
+    "id": "CVE-2022-41556",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41556",
+    "severity": "High"
+  },
+  "CVE-2022-45047": {
+    "id": "CVE-2022-45047",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
+    "severity": "Critical"
+  },
+  "CVE-2022-29217": {
+    "id": "CVE-2022-29217",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29217",
+    "severity": "High"
+  },
+  "CVE-2023-46847": {
+    "id": "CVE-2023-46847",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46847",
+    "severity": "Critical"
+  },
+  "CVE-2024-5564": {
+    "id": "CVE-2024-5564",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5564",
+    "severity": "High"
+  },
+  "CVE-2022-0529": {
+    "id": "CVE-2022-0529",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0529",
+    "severity": "High"
+  },
+  "CVE-2021-20304": {
+    "id": "CVE-2021-20304",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20304",
+    "severity": "Medium"
+  },
+  "CVE-2023-49502": {
+    "id": "CVE-2023-49502",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49502",
+    "severity": "High"
+  },
+  "CVE-2022-1587": {
+    "id": "CVE-2022-1587",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1587",
+    "severity": "Critical"
+  },
+  "CVE-2022-4696": {
+    "id": "CVE-2022-4696",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4696",
+    "severity": "High"
+  },
+  "CVE-2023-4004": {
+    "id": "CVE-2023-4004",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004",
+    "severity": "High"
+  },
+  "CVE-2024-27437": {
+    "id": "CVE-2024-27437",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+    "severity": "Medium"
+  },
+  "CVE-2022-36109": {
+    "id": "CVE-2022-36109",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36109",
+    "severity": "Medium"
+  },
+  "CVE-2022-43552": {
+    "id": "CVE-2022-43552",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552",
+    "severity": "Medium"
+  },
+  "CVE-2022-4743": {
+    "id": "CVE-2022-4743",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4743",
+    "severity": "High"
+  },
+  "CVE-2022-41903": {
+    "id": "CVE-2022-41903",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41903",
+    "severity": "Critical"
+  },
+  "CVE-2023-23916": {
+    "id": "CVE-2023-23916",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23916",
+    "severity": "Medium"
+  },
+  "CVE-2023-38288": {
+    "id": "CVE-2023-38288",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38288",
+    "severity": "Low"
+  },
+  "CVE-2022-28506": {
+    "id": "CVE-2022-28506",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28506",
+    "severity": "High"
+  },
+  "CVE-2023-22497": {
+    "id": "CVE-2023-22497",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22497",
+    "severity": "Critical"
+  },
+  "CVE-2024-26306": {
+    "id": "CVE-2024-26306",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26306",
+    "severity": "Low"
+  },
+  "CVE-2020-12695": {
+    "id": "CVE-2020-12695",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12695",
+    "severity": "High"
+  },
+  "CVE-2023-46052": {
+    "id": "CVE-2023-46052",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46052",
+    "severity": "Low"
+  },
+  "CVE-2020-35524": {
+    "id": "CVE-2020-35524",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35524",
+    "severity": "Medium"
+  },
+  "CVE-2020-8151": {
+    "id": "CVE-2020-8151",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8151",
+    "severity": "High"
+  },
+  "CVE-2020-8162": {
+    "id": "CVE-2020-8162",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8162",
+    "severity": "Critical"
+  },
+  "CVE-2024-39301": {
+    "id": "CVE-2024-39301",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301",
+    "severity": "Low"
+  },
+  "CVE-2021-22884": {
+    "id": "CVE-2021-22884",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22884",
+    "severity": "High"
+  },
+  "CVE-2023-38470": {
+    "id": "CVE-2023-38470",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38470",
+    "severity": "Medium"
+  },
+  "CVE-2023-26604": {
+    "id": "CVE-2023-26604",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26604",
+    "severity": "High"
+  },
+  "CVE-2021-3448": {
+    "id": "CVE-2021-3448",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3448",
+    "severity": "Low"
+  },
+  "CVE-2024-27285": {
+    "id": "CVE-2024-27285",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27285",
+    "severity": "Medium"
+  },
+  "CVE-2020-29363": {
+    "id": "CVE-2020-29363",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29363",
+    "severity": "High"
+  },
+  "CVE-2020-27216": {
+    "id": "CVE-2020-27216",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27216",
+    "severity": "High"
+  },
+  "CVE-2023-34475": {
+    "id": "CVE-2023-34475",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34475",
+    "severity": "Medium"
+  },
+  "CVE-2023-38633": {
+    "id": "CVE-2023-38633",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38633",
+    "severity": "Medium"
+  },
+  "CVE-2023-25173": {
+    "id": "CVE-2023-25173",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173",
+    "severity": "Medium"
+  },
+  "CVE-2021-35597": {
+    "id": "CVE-2021-35597",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35597",
+    "severity": "Medium"
+  },
+  "CVE-2021-33813": {
+    "id": "CVE-2021-33813",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33813",
+    "severity": "High"
+  },
+  "CVE-2023-30570": {
+    "id": "CVE-2023-30570",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30570",
+    "severity": "High"
+  },
+  "CVE-2022-3970": {
+    "id": "CVE-2022-3970",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3970",
+    "severity": "Critical"
+  },
+  "CVE-2022-4283": {
+    "id": "CVE-2022-4283",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4283",
+    "severity": "High"
+  },
+  "CVE-2020-25219": {
+    "id": "CVE-2020-25219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25219",
+    "severity": "High"
+  },
+  "CVE-2023-7192": {
+    "id": "CVE-2023-7192",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192",
+    "severity": "Medium"
+  },
+  "CVE-2024-1086": {
+    "id": "CVE-2024-1086",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086",
+    "severity": "High"
+  },
+  "CVE-2021-33646": {
+    "id": "CVE-2021-33646",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33646",
+    "severity": "Low"
+  },
+  "CVE-2023-6918": {
+    "id": "CVE-2023-6918",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+    "severity": "Medium"
+  },
+  "CVE-2020-25969": {
+    "id": "CVE-2020-25969",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25969",
+    "severity": "Critical"
+  },
+  "CVE-2023-1393": {
+    "id": "CVE-2023-1393",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1393",
+    "severity": "High"
+  },
+  "CVE-2021-3185": {
+    "id": "CVE-2021-3185",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3185",
+    "severity": "Critical"
+  },
+  "CVE-2022-24903": {
+    "id": "CVE-2022-24903",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24903",
+    "severity": "High"
+  },
+  "CVE-2022-35252": {
+    "id": "CVE-2022-35252",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252",
+    "severity": "Low"
+  },
+  "CVE-2019-17177": {
+    "id": "CVE-2019-17177",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17177",
+    "severity": "Low"
+  },
+  "CVE-2022-3627": {
+    "id": "CVE-2022-3627",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3627",
+    "severity": "Critical"
+  },
+  "CVE-2022-2520": {
+    "id": "CVE-2022-2520",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2520",
+    "severity": "Medium"
+  },
+  "CVE-2023-5341": {
+    "id": "CVE-2023-5341",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341",
+    "severity": "Medium"
+  },
+  "CVE-2021-38160": {
+    "id": "CVE-2021-38160",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38160",
+    "severity": "Medium"
+  },
+  "CVE-2019-18874": {
+    "id": "CVE-2019-18874",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18874",
+    "severity": "High"
+  },
+  "CVE-2021-33642": {
+    "id": "CVE-2021-33642",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33642",
+    "severity": "Low"
+  },
+  "CVE-2021-23358": {
+    "id": "CVE-2021-23358",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23358",
+    "severity": "High"
+  },
+  "CVE-2021-3611": {
+    "id": "CVE-2021-3611",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3611",
+    "severity": "Medium"
+  },
+  "CVE-2021-22960": {
+    "id": "CVE-2021-22960",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960",
+    "severity": "Medium"
+  },
+  "CVE-2022-38349": {
+    "id": "CVE-2022-38349",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38349",
+    "severity": "High"
+  },
+  "CVE-2023-0922": {
+    "id": "CVE-2023-0922",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0922",
+    "severity": "Medium"
+  },
+  "CVE-2024-36950": {
+    "id": "CVE-2024-36950",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36950",
+    "severity": "Medium"
+  },
+  "CVE-2023-45802": {
+    "id": "CVE-2023-45802",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45802",
+    "severity": "Critical"
+  },
+  "CVE-2021-45417": {
+    "id": "CVE-2021-45417",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45417",
+    "severity": "High"
+  },
+  "CVE-2022-3755": {
+    "id": "CVE-2022-3755",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3755",
+    "severity": "Medium"
+  },
+  "CVE-2021-36221": {
+    "id": "CVE-2021-36221",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36221",
+    "severity": "High"
+  },
+  "CVE-2023-22809": {
+    "id": "CVE-2023-22809",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22809",
+    "severity": "High"
+  },
+  "CVE-2020-7663": {
+    "id": "CVE-2020-7663",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7663",
+    "severity": "High"
+  },
+  "CVE-2022-0547": {
+    "id": "CVE-2022-0547",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0547",
+    "severity": "Critical"
+  },
+  "CVE-2020-15522": {
+    "id": "CVE-2020-15522",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
+    "severity": "Medium"
+  },
+  "CVE-2023-34151": {
+    "id": "CVE-2023-34151",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151",
+    "severity": "Medium"
+  },
+  "CVE-2023-2731": {
+    "id": "CVE-2023-2731",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2731",
+    "severity": "Medium"
+  },
+  "CVE-2022-3352": {
+    "id": "CVE-2022-3352",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3352",
+    "severity": "High"
+  },
+  "CVE-2022-32149": {
+    "id": "CVE-2022-32149",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149",
+    "severity": "High"
+  },
+  "CVE-2021-20208": {
+    "id": "CVE-2021-20208",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20208",
+    "severity": "Medium"
+  },
+  "CVE-2022-40307": {
+    "id": "CVE-2022-40307",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40307",
+    "severity": "Medium"
+  },
+  "CVE-2021-23017": {
+    "id": "CVE-2021-23017",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017",
+    "severity": "Critical"
+  },
+  "CVE-2024-3096": {
+    "id": "CVE-2024-3096",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
+    "severity": "Medium"
+  },
+  "CVE-2019-3820": {
+    "id": "CVE-2019-3820",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3820",
+    "severity": "Medium"
+  },
+  "CVE-2020-27225": {
+    "id": "CVE-2020-27225",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27225",
+    "severity": "High"
+  },
+  "CVE-2023-24537": {
+    "id": "CVE-2023-24537",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
+    "severity": "High"
+  },
+  "CVE-2022-4603": {
+    "id": "CVE-2022-4603",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4603",
+    "severity": "High"
+  },
+  "CVE-2023-39417": {
+    "id": "CVE-2023-39417",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
+    "severity": "High"
+  },
+  "CVE-2020-29651": {
+    "id": "CVE-2020-29651",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29651",
+    "severity": "High"
+  },
+  "CVE-2022-20369": {
+    "id": "CVE-2022-20369",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20369",
+    "severity": "Medium"
+  },
+  "CVE-2021-21381": {
+    "id": "CVE-2021-21381",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21381",
+    "severity": "High"
+  },
+  "CVE-2020-14312": {
+    "id": "CVE-2020-14312",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14312",
+    "severity": "Medium"
+  },
+  "CVE-2023-1193": {
+    "id": "CVE-2023-1193",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193",
+    "severity": "Medium"
+  },
+  "CVE-2024-36960": {
+    "id": "CVE-2024-36960",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36960",
+    "severity": "Medium"
+  },
+  "CVE-2022-41946": {
+    "id": "CVE-2022-41946",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
+    "severity": "Medium"
+  },
+  "CVE-2019-1020001": {
+    "id": "CVE-2019-1020001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020001",
+    "severity": "High"
+  },
+  "CVE-2021-22922": {
+    "id": "CVE-2021-22922",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922",
+    "severity": "Medium"
+  },
+  "CVE-2020-25678": {
+    "id": "CVE-2020-25678",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25678",
+    "severity": "Medium"
+  },
+  "CVE-2023-4875": {
+    "id": "CVE-2023-4875",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4875",
+    "severity": "Medium"
+  },
+  "CVE-2023-3019": {
+    "id": "CVE-2023-3019",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3019",
+    "severity": "Medium"
+  },
+  "CVE-2020-14154": {
+    "id": "CVE-2020-14154",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14154",
+    "severity": "Medium"
+  },
+  "CVE-2022-2343": {
+    "id": "CVE-2022-2343",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2343",
+    "severity": "Critical"
+  },
+  "CVE-2024-3154": {
+    "id": "CVE-2024-3154",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3154",
+    "severity": "High"
+  },
+  "CVE-2024-26627": {
+    "id": "CVE-2024-26627",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627",
+    "severity": "High"
+  },
+  "CVE-2023-0494": {
+    "id": "CVE-2023-0494",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0494",
+    "severity": "High"
+  },
+  "CVE-2021-41159": {
+    "id": "CVE-2021-41159",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41159",
+    "severity": "Critical"
+  },
+  "CVE-2021-34428": {
+    "id": "CVE-2021-34428",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428",
+    "severity": "Low"
+  },
+  "CVE-2023-2861": {
+    "id": "CVE-2023-2861",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861",
+    "severity": "High"
+  },
+  "CVE-2021-3200": {
+    "id": "CVE-2021-3200",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3200",
+    "severity": "Medium"
+  },
+  "CVE-2021-3979": {
+    "id": "CVE-2021-3979",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3979",
+    "severity": "Medium"
+  },
+  "CVE-2022-3725": {
+    "id": "CVE-2022-3725",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3725",
+    "severity": "High"
+  },
+  "CVE-2021-32492": {
+    "id": "CVE-2021-32492",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32492",
+    "severity": "High"
+  },
+  "CVE-2021-3630": {
+    "id": "CVE-2021-3630",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3630",
+    "severity": "Medium"
+  },
+  "CVE-2023-6478": {
+    "id": "CVE-2023-6478",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6478",
+    "severity": "High"
+  },
+  "CVE-2018-1311": {
+    "id": "CVE-2018-1311",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+    "severity": "High"
+  },
+  "CVE-2023-3758": {
+    "id": "CVE-2023-3758",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3758",
+    "severity": "High"
+  },
+  "CVE-2019-16707": {
+    "id": "CVE-2019-16707",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16707",
+    "severity": "Medium"
+  },
+  "CVE-2023-32067": {
+    "id": "CVE-2023-32067",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
+    "severity": "High"
+  },
+  "CVE-2022-23305": {
+    "id": "CVE-2022-23305",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305",
+    "severity": "Critical"
+  },
+  "CVE-2021-44906": {
+    "id": "CVE-2021-44906",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
+    "severity": "Medium"
+  },
+  "CVE-2024-37371": {
+    "id": "CVE-2024-37371",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371",
+    "severity": "None"
+  },
+  "CVE-2020-13529": {
+    "id": "CVE-2020-13529",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13529",
+    "severity": "Medium"
+  },
+  "CVE-2021-43527": {
+    "id": "CVE-2021-43527",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43527",
+    "severity": "Critical"
+  },
+  "CVE-2021-3975": {
+    "id": "CVE-2021-3975",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3975",
+    "severity": "Medium"
+  },
+  "CVE-2019-10063": {
+    "id": "CVE-2019-10063",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10063",
+    "severity": "High"
+  },
+  "CVE-2023-4147": {
+    "id": "CVE-2023-4147",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147",
+    "severity": "Medium"
+  },
+  "CVE-2021-37714": {
+    "id": "CVE-2021-37714",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37714",
+    "severity": "High"
+  },
+  "CVE-2022-41854": {
+    "id": "CVE-2022-41854",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
+    "severity": "High"
+  },
+  "CVE-2024-38625": {
+    "id": "CVE-2024-38625",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625",
+    "severity": "Medium"
+  },
+  "CVE-2023-41915": {
+    "id": "CVE-2023-41915",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41915",
+    "severity": "High"
+  },
+  "CVE-2024-21506": {
+    "id": "CVE-2024-21506",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21506",
+    "severity": "Medium"
+  },
+  "CVE-2023-1370": {
+    "id": "CVE-2023-1370",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
+    "severity": "High"
+  },
+  "CVE-2023-27371": {
+    "id": "CVE-2023-27371",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27371",
+    "severity": "High"
+  },
+  "CVE-2022-46908": {
+    "id": "CVE-2022-46908",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46908",
+    "severity": "Critical"
+  },
+  "CVE-2021-0938": {
+    "id": "CVE-2021-0938",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0938",
+    "severity": "Low"
+  },
+  "CVE-2022-45693": {
+    "id": "CVE-2022-45693",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
+    "severity": "High"
+  },
+  "CVE-2020-16119": {
+    "id": "CVE-2020-16119",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16119",
+    "severity": "Medium"
+  },
+  "CVE-2022-24921": {
+    "id": "CVE-2022-24921",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24921",
+    "severity": "High"
+  },
+  "CVE-2023-22049": {
+    "id": "CVE-2023-22049",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+    "severity": "High"
+  },
+  "CVE-2022-24303": {
+    "id": "CVE-2022-24303",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24303",
+    "severity": "Medium"
+  },
+  "CVE-2024-35801": {
+    "id": "CVE-2024-35801",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801",
+    "severity": "Medium"
+  },
+  "CVE-2022-23806": {
+    "id": "CVE-2022-23806",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23806",
+    "severity": "High"
+  },
+  "CVE-2021-27365": {
+    "id": "CVE-2021-27365",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27365",
+    "severity": "Medium"
+  },
+  "CVE-2023-46137": {
+    "id": "CVE-2023-46137",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+    "severity": "Medium"
+  },
+  "CVE-2023-1859": {
+    "id": "CVE-2023-1859",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859",
+    "severity": "Medium"
+  },
+  "CVE-2023-28366": {
+    "id": "CVE-2023-28366",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28366",
+    "severity": "High"
+  },
+  "CVE-2024-20921": {
+    "id": "CVE-2024-20921",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20921",
+    "severity": "Medium"
+  },
+  "CVE-2024-25580": {
+    "id": "CVE-2024-25580",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25580",
+    "severity": "Low"
+  },
+  "CVE-2021-37530": {
+    "id": "CVE-2021-37530",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37530",
+    "severity": "Medium"
+  },
+  "CVE-2019-10172": {
+    "id": "CVE-2019-10172",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10172",
+    "severity": "High"
+  },
+  "CVE-2023-4622": {
+    "id": "CVE-2023-4622",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
+    "severity": "High"
+  },
+  "CVE-2020-22219": {
+    "id": "CVE-2020-22219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22219",
+    "severity": "Critical"
+  },
+  "CVE-2024-35997": {
+    "id": "CVE-2024-35997",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997",
+    "severity": "Medium"
+  },
+  "CVE-2023-2091": {
+    "id": "CVE-2023-2091",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2091",
+    "severity": "High"
+  },
+  "CVE-2022-23959": {
+    "id": "CVE-2022-23959",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23959",
+    "severity": "Critical"
+  },
+  "CVE-2020-21528": {
+    "id": "CVE-2020-21528",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21528",
+    "severity": "Medium"
+  },
+  "CVE-2021-3178": {
+    "id": "CVE-2021-3178",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3178",
+    "severity": "High"
+  },
+  "CVE-2023-36053": {
+    "id": "CVE-2023-36053",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36053",
+    "severity": "High"
+  },
+  "CVE-2023-33285": {
+    "id": "CVE-2023-33285",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285",
+    "severity": "Medium"
+  },
+  "CVE-2022-1050": {
+    "id": "CVE-2022-1050",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1050",
+    "severity": "High"
+  },
+  "CVE-2022-3016": {
+    "id": "CVE-2022-3016",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3016",
+    "severity": "Medium"
+  },
+  "CVE-2022-0358": {
+    "id": "CVE-2022-0358",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0358",
+    "severity": "Medium"
+  },
+  "CVE-2024-24557": {
+    "id": "CVE-2024-24557",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24557",
+    "severity": "High"
+  },
+  "CVE-2023-22998": {
+    "id": "CVE-2023-22998",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22998",
+    "severity": "Medium"
+  },
+  "CVE-2022-44640": {
+    "id": "CVE-2022-44640",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44640",
+    "severity": "High"
+  },
+  "CVE-2023-38473": {
+    "id": "CVE-2023-38473",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38473",
+    "severity": "Medium"
+  },
+  "CVE-2023-45935": {
+    "id": "CVE-2023-45935",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45935",
+    "severity": "Low"
+  },
+  "CVE-2024-23638": {
+    "id": "CVE-2024-23638",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23638",
+    "severity": "Medium"
+  },
+  "CVE-2023-45866": {
+    "id": "CVE-2023-45866",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45866",
+    "severity": "High"
+  },
+  "CVE-2022-40304": {
+    "id": "CVE-2022-40304",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304",
+    "severity": "High"
+  },
+  "CVE-2022-39957": {
+    "id": "CVE-2022-39957",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39957",
+    "severity": "High"
+  },
+  "CVE-2021-3682": {
+    "id": "CVE-2021-3682",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3682",
+    "severity": "Critical"
+  },
+  "CVE-2022-23990": {
+    "id": "CVE-2022-23990",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990",
+    "severity": "Critical"
+  },
+  "CVE-2021-21261": {
+    "id": "CVE-2021-21261",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21261",
+    "severity": "High"
+  },
+  "CVE-2021-21708": {
+    "id": "CVE-2021-21708",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21708",
+    "severity": "Critical"
+  },
+  "CVE-2021-32617": {
+    "id": "CVE-2021-32617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32617",
+    "severity": "Low"
+  },
+  "CVE-2021-44647": {
+    "id": "CVE-2021-44647",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647",
+    "severity": "Critical"
+  },
+  "CVE-2022-29824": {
+    "id": "CVE-2022-29824",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824",
+    "severity": "High"
+  },
+  "CVE-2023-31486": {
+    "id": "CVE-2023-31486",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
+    "severity": "High"
+  },
+  "CVE-2023-1998": {
+    "id": "CVE-2023-1998",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1998",
+    "severity": "Medium"
+  },
+  "CVE-2023-25399": {
+    "id": "CVE-2023-25399",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25399",
+    "severity": "Medium"
+  },
+  "CVE-2022-31628": {
+    "id": "CVE-2022-31628",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31628",
+    "severity": "Medium"
+  },
+  "CVE-2021-43566": {
+    "id": "CVE-2021-43566",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43566",
+    "severity": "Low"
+  },
+  "CVE-2021-23840": {
+    "id": "CVE-2021-23840",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840",
+    "severity": "High"
+  },
+  "CVE-2023-48161": {
+    "id": "CVE-2023-48161",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48161",
+    "severity": "High"
+  },
+  "CVE-2023-29469": {
+    "id": "CVE-2023-29469",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469",
+    "severity": "Medium"
+  },
+  "CVE-2020-11810": {
+    "id": "CVE-2020-11810",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11810",
+    "severity": "Low"
+  },
+  "CVE-2021-33657": {
+    "id": "CVE-2021-33657",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33657",
+    "severity": "High"
+  },
+  "CVE-2024-24784": {
+    "id": "CVE-2024-24784",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24784",
+    "severity": "High"
+  },
+  "CVE-2022-32746": {
+    "id": "CVE-2022-32746",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32746",
+    "severity": "Medium"
+  },
+  "CVE-2022-44730": {
+    "id": "CVE-2022-44730",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
+    "severity": "Medium"
+  },
+  "CVE-2024-21102": {
+    "id": "CVE-2024-21102",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21102",
+    "severity": "Medium"
+  },
+  "CVE-2024-21733": {
+    "id": "CVE-2024-21733",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21733",
+    "severity": "High"
+  },
+  "CVE-2023-5156": {
+    "id": "CVE-2023-5156",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156",
+    "severity": "High"
+  },
+  "CVE-2023-3195": {
+    "id": "CVE-2023-3195",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3195",
+    "severity": "Medium"
+  },
+  "CVE-2021-22924": {
+    "id": "CVE-2021-22924",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924",
+    "severity": "Medium"
+  },
+  "CVE-2024-36917": {
+    "id": "CVE-2024-36917",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917",
+    "severity": "Medium"
+  },
+  "CVE-2023-5157": {
+    "id": "CVE-2023-5157",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5157",
+    "severity": "High"
+  },
+  "CVE-2019-17567": {
+    "id": "CVE-2019-17567",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17567",
+    "severity": "Medium"
+  },
+  "CVE-2023-0798": {
+    "id": "CVE-2023-0798",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0798",
+    "severity": "Medium"
+  },
+  "CVE-2021-3640": {
+    "id": "CVE-2021-3640",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3640",
+    "severity": "Low"
+  },
+  "CVE-2021-23437": {
+    "id": "CVE-2021-23437",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23437",
+    "severity": "High"
+  },
+  "CVE-2021-47545": {
+    "id": "CVE-2021-47545",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47545",
+    "severity": "Medium"
+  },
+  "CVE-2023-51074": {
+    "id": "CVE-2023-51074",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51074",
+    "severity": "Medium"
+  },
+  "CVE-2023-6546": {
+    "id": "CVE-2023-6546",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6546",
+    "severity": "High"
+  },
+  "CVE-2019-16892": {
+    "id": "CVE-2019-16892",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16892",
+    "severity": "Medium"
+  },
+  "CVE-2022-48279": {
+    "id": "CVE-2022-48279",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+    "severity": "High"
+  },
+  "CVE-2021-46854": {
+    "id": "CVE-2021-46854",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46854",
+    "severity": "High"
+  },
+  "CVE-2022-1462": {
+    "id": "CVE-2022-1462",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1462",
+    "severity": "Medium"
+  },
+  "CVE-2024-39292": {
+    "id": "CVE-2024-39292",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292",
+    "severity": "High"
+  },
+  "CVE-2022-37290": {
+    "id": "CVE-2022-37290",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+    "severity": "Medium"
+  },
+  "CVE-2020-14954": {
+    "id": "CVE-2020-14954",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14954",
+    "severity": "Medium"
+  },
+  "CVE-2023-36054": {
+    "id": "CVE-2023-36054",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054",
+    "severity": "Medium"
+  },
+  "CVE-2023-28370": {
+    "id": "CVE-2023-28370",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28370",
+    "severity": "Medium"
+  },
+  "CVE-2023-31130": {
+    "id": "CVE-2023-31130",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130",
+    "severity": "Medium"
+  },
+  "CVE-2022-1925": {
+    "id": "CVE-2022-1925",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1925",
+    "severity": "High"
+  },
+  "CVE-2024-2494": {
+    "id": "CVE-2024-2494",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2494",
+    "severity": "Medium"
+  },
+  "CVE-2023-39325": {
+    "id": "CVE-2023-39325",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+    "severity": "Medium"
+  },
+  "CVE-2023-3824": {
+    "id": "CVE-2023-3824",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3824",
+    "severity": "High"
+  },
+  "CVE-2022-28735": {
+    "id": "CVE-2022-28735",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28735",
+    "severity": "High"
+  },
+  "CVE-2023-22796": {
+    "id": "CVE-2023-22796",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22796",
+    "severity": "High"
+  },
+  "CVE-2023-40660": {
+    "id": "CVE-2023-40660",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40660",
+    "severity": "Medium"
+  },
+  "CVE-2021-45944": {
+    "id": "CVE-2021-45944",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45944",
+    "severity": "Medium"
+  },
+  "CVE-2023-49100": {
+    "id": "CVE-2023-49100",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49100",
+    "severity": "High"
+  },
+  "CVE-2023-1729": {
+    "id": "CVE-2023-1729",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1729",
+    "severity": "Low"
+  },
+  "CVE-2021-27212": {
+    "id": "CVE-2021-27212",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27212",
+    "severity": "High"
+  },
+  "CVE-2014-10402": {
+    "id": "CVE-2014-10402",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-10402",
+    "severity": "Medium"
+  },
+  "CVE-2020-35457": {
+    "id": "CVE-2020-35457",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35457",
+    "severity": "High"
+  },
+  "CVE-2023-32409": {
+    "id": "CVE-2023-32409",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32409",
+    "severity": "High"
+  },
+  "CVE-2022-21166": {
+    "id": "CVE-2022-21166",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21166",
+    "severity": "Medium"
+  },
+  "CVE-2020-12862": {
+    "id": "CVE-2020-12862",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12862",
+    "severity": "High"
+  },
+  "CVE-2020-11987": {
+    "id": "CVE-2020-11987",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11987",
+    "severity": "Medium"
+  },
+  "CVE-2024-26766": {
+    "id": "CVE-2024-26766",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26766",
+    "severity": "Low"
+  },
+  "CVE-2022-3437": {
+    "id": "CVE-2022-3437",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3437",
+    "severity": "Medium"
+  },
+  "CVE-2023-32001": {
+    "id": "CVE-2023-32001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32001",
+    "severity": "Medium"
+  },
+  "CVE-2021-33909": {
+    "id": "CVE-2021-33909",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33909",
+    "severity": "High"
+  },
+  "CVE-2021-3802": {
+    "id": "CVE-2021-3802",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3802",
+    "severity": "Medium"
+  },
+  "CVE-2024-38517": {
+    "id": "CVE-2024-38517",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38517",
+    "severity": "High"
+  },
+  "CVE-2022-2663": {
+    "id": "CVE-2022-2663",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663",
+    "severity": "Medium"
+  },
+  "CVE-2021-44575": {
+    "id": "CVE-2021-44575",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44575",
+    "severity": "Medium"
+  },
+  "CVE-2020-26259": {
+    "id": "CVE-2020-26259",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26259",
+    "severity": "High"
+  },
+  "CVE-2020-25085": {
+    "id": "CVE-2020-25085",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25085",
+    "severity": "Medium"
+  },
+  "CVE-2022-4292": {
+    "id": "CVE-2022-4292",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4292",
+    "severity": "Medium"
+  },
+  "CVE-2023-1999": {
+    "id": "CVE-2023-1999",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999",
+    "severity": "Medium"
+  },
+  "CVE-2023-5344": {
+    "id": "CVE-2023-5344",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5344",
+    "severity": "High"
+  },
+  "CVE-2024-37891": {
+    "id": "CVE-2024-37891",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
+    "severity": "High"
+  },
+  "CVE-2021-3470": {
+    "id": "CVE-2021-3470",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3470",
+    "severity": "Medium"
+  },
+  "CVE-2022-2085": {
+    "id": "CVE-2022-2085",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2085",
+    "severity": "Medium"
+  },
+  "CVE-2012-2738": {
+    "id": "CVE-2012-2738",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2738",
+    "severity": "Medium"
+  },
+  "CVE-2024-1681": {
+    "id": "CVE-2024-1681",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1681",
+    "severity": "Medium"
+  },
+  "CVE-2021-20201": {
+    "id": "CVE-2021-20201",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20201",
+    "severity": "Medium"
+  },
+  "CVE-2022-1786": {
+    "id": "CVE-2022-1786",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1786",
+    "severity": "High"
+  },
+  "CVE-2021-40528": {
+    "id": "CVE-2021-40528",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40528",
+    "severity": "Medium"
+  },
+  "CVE-2021-38593": {
+    "id": "CVE-2021-38593",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593",
+    "severity": "High"
+  },
+  "CVE-2022-32325": {
+    "id": "CVE-2022-32325",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32325",
+    "severity": "Medium"
+  },
+  "CVE-2019-1010180": {
+    "id": "CVE-2019-1010180",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010180",
+    "severity": "High"
+  },
+  "CVE-2023-46751": {
+    "id": "CVE-2023-46751",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46751",
+    "severity": "High"
+  },
+  "CVE-2020-14928": {
+    "id": "CVE-2020-14928",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14928",
+    "severity": "Medium"
+  },
+  "CVE-2023-52730": {
+    "id": "CVE-2023-52730",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52730",
+    "severity": "Medium"
+  },
+  "CVE-2023-29405": {
+    "id": "CVE-2023-29405",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29405",
+    "severity": "Critical"
+  },
+  "CVE-2023-4273": {
+    "id": "CVE-2023-4273",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273",
+    "severity": "High"
+  },
+  "CVE-2022-42896": {
+    "id": "CVE-2022-42896",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42896",
+    "severity": "Medium"
+  },
+  "CVE-2022-28737": {
+    "id": "CVE-2022-28737",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28737",
+    "severity": "High"
+  },
+  "CVE-2021-39226": {
+    "id": "CVE-2021-39226",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
+    "severity": "Medium"
+  },
+  "CVE-2022-21682": {
+    "id": "CVE-2022-21682",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21682",
+    "severity": "Medium"
+  },
+  "CVE-2020-26247": {
+    "id": "CVE-2020-26247",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26247",
+    "severity": "Medium"
+  },
+  "CVE-2021-3498": {
+    "id": "CVE-2021-3498",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3498",
+    "severity": "High"
+  },
+  "CVE-2023-5557": {
+    "id": "CVE-2023-5557",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5557",
+    "severity": "High"
+  },
+  "CVE-2021-4185": {
+    "id": "CVE-2021-4185",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4185",
+    "severity": "Medium"
+  },
+  "CVE-2021-21409": {
+    "id": "CVE-2021-21409",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
+    "severity": "Medium"
+  },
+  "CVE-2023-49081": {
+    "id": "CVE-2023-49081",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49081",
+    "severity": "High"
+  },
+  "CVE-2024-26960": {
+    "id": "CVE-2024-26960",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960",
+    "severity": "Medium"
+  },
+  "CVE-2020-25709": {
+    "id": "CVE-2020-25709",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25709",
+    "severity": "High"
+  },
+  "CVE-2022-22707": {
+    "id": "CVE-2022-22707",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22707",
+    "severity": "Medium"
+  },
+  "CVE-2022-27776": {
+    "id": "CVE-2022-27776",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27776",
+    "severity": "Low"
+  },
+  "CVE-2020-8184": {
+    "id": "CVE-2020-8184",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8184",
+    "severity": "Medium"
+  },
+  "CVE-2023-25193": {
+    "id": "CVE-2023-25193",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193",
+    "severity": "High"
+  },
+  "CVE-2022-21341": {
+    "id": "CVE-2022-21341",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21341",
+    "severity": "Low"
+  },
+  "CVE-2020-36327": {
+    "id": "CVE-2020-36327",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36327",
+    "severity": "High"
+  },
+  "CVE-2020-15250": {
+    "id": "CVE-2020-15250",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250",
+    "severity": "Medium"
+  },
+  "CVE-2023-44488": {
+    "id": "CVE-2023-44488",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44488",
+    "severity": "High"
+  },
+  "CVE-2020-36403": {
+    "id": "CVE-2020-36403",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36403",
+    "severity": "High"
+  },
+  "CVE-2023-39130": {
+    "id": "CVE-2023-39130",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130",
+    "severity": "Medium"
+  },
+  "CVE-2022-2469": {
+    "id": "CVE-2022-2469",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+    "severity": "High"
+  },
+  "CVE-2023-27320": {
+    "id": "CVE-2023-27320",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27320",
+    "severity": "Low"
+  },
+  "CVE-2021-33294": {
+    "id": "CVE-2021-33294",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294",
+    "severity": "Low"
+  },
+  "CVE-2023-5625": {
+    "id": "CVE-2023-5625",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5625",
+    "severity": "Medium"
+  },
+  "CVE-2022-47022": {
+    "id": "CVE-2022-47022",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47022",
+    "severity": "Critical"
+  },
+  "CVE-2023-5197": {
+    "id": "CVE-2023-5197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197",
+    "severity": "High"
+  },
+  "CVE-2023-28856": {
+    "id": "CVE-2023-28856",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28856",
+    "severity": "Medium"
+  },
+  "CVE-2024-24577": {
+    "id": "CVE-2024-24577",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+    "severity": "Critical"
+  },
+  "CVE-2023-3648": {
+    "id": "CVE-2023-3648",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3648",
+    "severity": "Medium"
+  },
+  "CVE-2019-2708": {
+    "id": "CVE-2019-2708",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2708",
+    "severity": "Low"
+  },
+  "CVE-2021-28652": {
+    "id": "CVE-2021-28652",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28652",
+    "severity": "Medium"
+  },
+  "CVE-2022-43680": {
+    "id": "CVE-2022-43680",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680",
+    "severity": "High"
+  },
+  "CVE-2022-44268": {
+    "id": "CVE-2022-44268",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44268",
+    "severity": "High"
+  },
+  "CVE-2021-35550": {
+    "id": "CVE-2021-35550",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35550",
+    "severity": "Medium"
+  },
+  "CVE-2021-3638": {
+    "id": "CVE-2021-3638",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3638",
+    "severity": "Medium"
+  },
+  "CVE-2023-26081": {
+    "id": "CVE-2023-26081",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26081",
+    "severity": "High"
+  },
+  "CVE-2024-39573": {
+    "id": "CVE-2024-39573",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39573",
+    "severity": "Critical"
+  },
+  "CVE-2022-3521": {
+    "id": "CVE-2022-3521",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3521",
+    "severity": "Medium"
+  },
+  "CVE-2022-23094": {
+    "id": "CVE-2022-23094",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23094",
+    "severity": "High"
+  },
+  "CVE-2024-2357": {
+    "id": "CVE-2024-2357",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2357",
+    "severity": "Low"
+  },
+  "CVE-2023-3772": {
+    "id": "CVE-2023-3772",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3772",
+    "severity": "Medium"
+  },
+  "CVE-2020-4030": {
+    "id": "CVE-2020-4030",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4030",
+    "severity": "Medium"
+  },
+  "CVE-2024-3205": {
+    "id": "CVE-2024-3205",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3205",
+    "severity": "High"
+  },
+  "CVE-2022-0330": {
+    "id": "CVE-2022-0330",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0330",
+    "severity": "Medium"
+  },
+  "CVE-2023-42670": {
+    "id": "CVE-2023-42670",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42670",
+    "severity": "Medium"
+  },
+  "CVE-2020-11077": {
+    "id": "CVE-2020-11077",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11077",
+    "severity": "High"
+  },
+  "CVE-2021-27506": {
+    "id": "CVE-2021-27506",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27506",
+    "severity": "Medium"
+  },
+  "CVE-2021-22918": {
+    "id": "CVE-2021-22918",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22918",
+    "severity": "Medium"
+  },
+  "CVE-2023-23454": {
+    "id": "CVE-2023-23454",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23454",
+    "severity": "High"
+  },
+  "CVE-2020-10809": {
+    "id": "CVE-2020-10809",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10809",
+    "severity": "Medium"
+  },
+  "CVE-2021-3655": {
+    "id": "CVE-2021-3655",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3655",
+    "severity": "Medium"
+  },
+  "CVE-2021-31812": {
+    "id": "CVE-2021-31812",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31812",
+    "severity": "Medium"
+  },
+  "CVE-2020-8003": {
+    "id": "CVE-2020-8003",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8003",
+    "severity": "Medium"
+  },
+  "CVE-2021-40153": {
+    "id": "CVE-2021-40153",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40153",
+    "severity": "High"
+  },
+  "CVE-2024-24898": {
+    "id": "CVE-2024-24898",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24898",
+    "severity": "Medium"
+  },
+  "CVE-2022-2125": {
+    "id": "CVE-2022-2125",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2125",
+    "severity": "High"
+  },
+  "CVE-2022-2319": {
+    "id": "CVE-2022-2319",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2319",
+    "severity": "High"
+  },
+  "CVE-2020-27756": {
+    "id": "CVE-2020-27756",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27756",
+    "severity": "Medium"
+  },
+  "CVE-2021-25735": {
+    "id": "CVE-2021-25735",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25735",
+    "severity": "Medium"
+  },
+  "CVE-2023-35945": {
+    "id": "CVE-2023-35945",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35945",
+    "severity": "High"
+  },
+  "CVE-2018-1000805": {
+    "id": "CVE-2018-1000805",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000805",
+    "severity": "High"
+  },
+  "CVE-2024-34403": {
+    "id": "CVE-2024-34403",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34403",
+    "severity": "Medium"
+  },
+  "CVE-2023-2953": {
+    "id": "CVE-2023-2953",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2953",
+    "severity": "High"
+  },
+  "CVE-2021-28216": {
+    "id": "CVE-2021-28216",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28216",
+    "severity": "High"
+  },
+  "CVE-2021-20197": {
+    "id": "CVE-2021-20197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20197",
+    "severity": "Medium"
+  },
+  "CVE-2023-47855": {
+    "id": "CVE-2023-47855",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47855",
+    "severity": "Low"
+  },
+  "CVE-2023-45663": {
+    "id": "CVE-2023-45663",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45663",
+    "severity": "High"
+  },
+  "CVE-2023-32573": {
+    "id": "CVE-2023-32573",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573",
+    "severity": "Medium"
+  },
+  "CVE-2022-2929": {
+    "id": "CVE-2022-2929",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2929",
+    "severity": "High"
+  },
+  "CVE-2021-20271": {
+    "id": "CVE-2021-20271",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20271",
+    "severity": "High"
+  },
+  "CVE-2019-3825": {
+    "id": "CVE-2019-3825",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3825",
+    "severity": "Medium"
+  },
+  "CVE-2023-42795": {
+    "id": "CVE-2023-42795",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795",
+    "severity": "High"
+  },
+  "CVE-2019-2692": {
+    "id": "CVE-2019-2692",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2692",
+    "severity": "Medium"
+  },
+  "CVE-2023-46695": {
+    "id": "CVE-2023-46695",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46695",
+    "severity": "High"
+  },
+  "CVE-2022-3115": {
+    "id": "CVE-2022-3115",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3115",
+    "severity": "Medium"
+  },
+  "CVE-2022-3165": {
+    "id": "CVE-2022-3165",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3165",
+    "severity": "Medium"
+  },
+  "CVE-2022-4144": {
+    "id": "CVE-2022-4144",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4144",
+    "severity": "Medium"
+  },
+  "CVE-2023-2610": {
+    "id": "CVE-2023-2610",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2610",
+    "severity": "High"
+  },
+  "CVE-2022-2598": {
+    "id": "CVE-2022-2598",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598",
+    "severity": "High"
+  },
+  "CVE-2022-23437": {
+    "id": "CVE-2022-23437",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23437",
+    "severity": "Medium"
+  },
+  "CVE-2020-13776": {
+    "id": "CVE-2020-13776",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13776",
+    "severity": "Medium"
+  },
+  "CVE-2022-21505": {
+    "id": "CVE-2022-21505",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21505",
+    "severity": "Medium"
+  },
+  "CVE-2021-44790": {
+    "id": "CVE-2021-44790",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44790",
+    "severity": "High"
+  },
+  "CVE-2021-33632": {
+    "id": "CVE-2021-33632",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
+    "severity": "High"
+  },
+  "CVE-2021-3426": {
+    "id": "CVE-2021-3426",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426",
+    "severity": "Medium"
+  },
+  "CVE-2020-10688": {
+    "id": "CVE-2020-10688",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10688",
+    "severity": "Medium"
+  },
+  "CVE-2023-23586": {
+    "id": "CVE-2023-23586",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23586",
+    "severity": "High"
+  },
+  "CVE-2019-16370": {
+    "id": "CVE-2019-16370",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16370",
+    "severity": "Medium"
+  },
+  "CVE-2021-46657": {
+    "id": "CVE-2021-46657",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46657",
+    "severity": "High"
+  },
+  "CVE-2021-34432": {
+    "id": "CVE-2021-34432",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34432",
+    "severity": "High"
+  },
+  "CVE-2021-4189": {
+    "id": "CVE-2021-4189",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189",
+    "severity": "Medium"
+  },
+  "CVE-2022-39348": {
+    "id": "CVE-2022-39348",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39348",
+    "severity": "High"
+  },
+  "CVE-2021-25217": {
+    "id": "CVE-2021-25217",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25217",
+    "severity": "High"
+  },
+  "CVE-2023-38408": {
+    "id": "CVE-2023-38408",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
+    "severity": "High"
+  },
+  "CVE-2021-20303": {
+    "id": "CVE-2021-20303",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20303",
+    "severity": "Medium"
+  },
+  "CVE-2021-38296": {
+    "id": "CVE-2021-38296",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38296",
+    "severity": "High"
+  },
+  "CVE-2024-6239": {
+    "id": "CVE-2024-6239",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6239",
+    "severity": "High"
+  },
+  "CVE-2022-34903": {
+    "id": "CVE-2022-34903",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34903",
+    "severity": "Medium"
+  },
+  "CVE-2024-29040": {
+    "id": "CVE-2024-29040",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29040",
+    "severity": "Medium"
+  },
+  "CVE-2021-3449": {
+    "id": "CVE-2021-3449",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449",
+    "severity": "Medium"
+  },
+  "CVE-2022-25647": {
+    "id": "CVE-2022-25647",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647",
+    "severity": "High"
+  },
+  "CVE-2022-3646": {
+    "id": "CVE-2022-3646",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3646",
+    "severity": "Medium"
+  },
+  "CVE-2022-30789": {
+    "id": "CVE-2022-30789",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30789",
+    "severity": "Critical"
+  },
+  "CVE-2022-3108": {
+    "id": "CVE-2022-3108",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3108",
+    "severity": "Medium"
+  },
+  "CVE-2023-47038": {
+    "id": "CVE-2023-47038",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038",
+    "severity": "Low"
+  },
+  "CVE-2021-45079": {
+    "id": "CVE-2021-45079",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45079",
+    "severity": "Critical"
+  },
+  "CVE-2024-32661": {
+    "id": "CVE-2024-32661",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32661",
+    "severity": "High"
+  },
+  "CVE-2021-20181": {
+    "id": "CVE-2021-20181",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20181",
+    "severity": "High"
+  },
+  "CVE-2022-24769": {
+    "id": "CVE-2022-24769",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24769",
+    "severity": "Medium"
+  },
+  "CVE-2021-44228": {
+    "id": "CVE-2021-44228",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
+    "severity": "High"
+  },
+  "CVE-2022-31625": {
+    "id": "CVE-2022-31625",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31625",
+    "severity": "High"
+  },
+  "CVE-2023-24607": {
+    "id": "CVE-2023-24607",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607",
+    "severity": "High"
+  },
+  "CVE-2023-34455": {
+    "id": "CVE-2023-34455",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455",
+    "severity": "High"
+  },
+  "CVE-2022-29154": {
+    "id": "CVE-2022-29154",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29154",
+    "severity": "High"
+  },
+  "CVE-2024-28180": {
+    "id": "CVE-2024-28180",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+    "severity": "Medium"
+  },
+  "CVE-2023-3341": {
+    "id": "CVE-2023-3341",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3341",
+    "severity": "High"
+  },
+  "CVE-2023-44446": {
+    "id": "CVE-2023-44446",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44446",
+    "severity": "Medium"
+  },
+  "CVE-2020-26572": {
+    "id": "CVE-2020-26572",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26572",
+    "severity": "Medium"
+  },
+  "CVE-2022-41741": {
+    "id": "CVE-2022-41741",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741",
+    "severity": "High"
+  },
+  "CVE-2022-3554": {
+    "id": "CVE-2022-3554",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3554",
+    "severity": "High"
+  },
+  "CVE-2020-23903": {
+    "id": "CVE-2020-23903",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23903",
+    "severity": "Medium"
+  },
+  "CVE-2020-10693": {
+    "id": "CVE-2020-10693",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10693",
+    "severity": "Medium"
+  },
+  "CVE-2022-32189": {
+    "id": "CVE-2022-32189",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189",
+    "severity": "Medium"
+  },
+  "CVE-2023-6004": {
+    "id": "CVE-2023-6004",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6004",
+    "severity": "Medium"
+  },
+  "CVE-2022-24958": {
+    "id": "CVE-2022-24958",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24958",
+    "severity": "High"
+  },
+  "CVE-2021-2161": {
+    "id": "CVE-2021-2161",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2161",
+    "severity": "Medium"
+  },
+  "CVE-2023-22742": {
+    "id": "CVE-2023-22742",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22742",
+    "severity": "Medium"
+  },
+  "CVE-2019-14562": {
+    "id": "CVE-2019-14562",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14562",
+    "severity": "Medium"
+  },
+  "CVE-2021-41160": {
+    "id": "CVE-2021-41160",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41160",
+    "severity": "Medium"
+  },
+  "CVE-2020-27781": {
+    "id": "CVE-2020-27781",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27781",
+    "severity": "Medium"
+  },
+  "CVE-2021-32765": {
+    "id": "CVE-2021-32765",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32765",
+    "severity": "High"
+  },
+  "CVE-2019-10241": {
+    "id": "CVE-2019-10241",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241",
+    "severity": "Medium"
+  },
+  "CVE-2022-35414": {
+    "id": "CVE-2022-35414",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35414",
+    "severity": "High"
+  },
+  "CVE-2020-35850": {
+    "id": "CVE-2020-35850",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35850",
+    "severity": "Medium"
+  },
+  "CVE-2021-31292": {
+    "id": "CVE-2021-31292",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31292",
+    "severity": "Medium"
+  },
+  "CVE-2020-25687": {
+    "id": "CVE-2020-25687",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25687",
+    "severity": "High"
+  },
+  "CVE-2020-29385": {
+    "id": "CVE-2020-29385",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29385",
+    "severity": "High"
+  },
+  "CVE-2021-42340": {
+    "id": "CVE-2021-42340",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42340",
+    "severity": "High"
+  },
+  "CVE-2023-6175": {
+    "id": "CVE-2023-6175",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6175",
+    "severity": "Medium"
+  },
+  "CVE-2021-39365": {
+    "id": "CVE-2021-39365",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39365",
+    "severity": "Medium"
+  },
+  "CVE-2022-41973": {
+    "id": "CVE-2022-41973",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41973",
+    "severity": "High"
+  },
+  "CVE-2024-26606": {
+    "id": "CVE-2024-26606",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606",
+    "severity": "Low"
+  },
+  "CVE-2023-35001": {
+    "id": "CVE-2023-35001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35001",
+    "severity": "High"
+  },
+  "CVE-2020-25717": {
+    "id": "CVE-2020-25717",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25717",
+    "severity": "High"
+  },
+  "CVE-2023-28120": {
+    "id": "CVE-2023-28120",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28120",
+    "severity": "Medium"
+  },
+  "CVE-2024-24855": {
+    "id": "CVE-2024-24855",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855",
+    "severity": "Medium"
+  },
+  "CVE-2021-3733": {
+    "id": "CVE-2021-3733",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733",
+    "severity": "Medium"
+  },
+  "CVE-2022-34835": {
+    "id": "CVE-2022-34835",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34835",
+    "severity": "Critical"
+  },
+  "CVE-2023-28101": {
+    "id": "CVE-2023-28101",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28101",
+    "severity": "Medium"
+  },
+  "CVE-2023-40267": {
+    "id": "CVE-2023-40267",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40267",
+    "severity": "Critical"
+  },
+  "CVE-2023-28755": {
+    "id": "CVE-2023-28755",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28755",
+    "severity": "High"
+  },
+  "CVE-2022-3515": {
+    "id": "CVE-2022-3515",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3515",
+    "severity": "High"
+  },
+  "CVE-2023-1972": {
+    "id": "CVE-2023-1972",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972",
+    "severity": "Medium"
+  },
+  "CVE-2022-4899": {
+    "id": "CVE-2022-4899",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899",
+    "severity": "High"
+  },
+  "CVE-2021-38576": {
+    "id": "CVE-2021-38576",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38576",
+    "severity": "High"
+  },
+  "CVE-2022-31213": {
+    "id": "CVE-2022-31213",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31213",
+    "severity": "High"
+  },
+  "CVE-2022-2962": {
+    "id": "CVE-2022-2962",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2962",
+    "severity": "Medium"
+  },
+  "CVE-2021-33098": {
+    "id": "CVE-2021-33098",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33098",
+    "severity": "Medium"
+  },
+  "CVE-2021-32672": {
+    "id": "CVE-2021-32672",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32672",
+    "severity": "Medium"
+  },
+  "CVE-2023-52672": {
+    "id": "CVE-2023-52672",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52672",
+    "severity": "Medium"
+  },
+  "CVE-2024-5197": {
+    "id": "CVE-2024-5197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5197",
+    "severity": "High"
+  },
+  "CVE-2020-14355": {
+    "id": "CVE-2020-14355",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14355",
+    "severity": "Medium"
+  },
+  "CVE-2023-41040": {
+    "id": "CVE-2023-41040",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41040",
+    "severity": "Medium"
+  },
+  "CVE-2022-40023": {
+    "id": "CVE-2022-40023",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40023",
+    "severity": "High"
+  },
+  "CVE-2024-24890": {
+    "id": "CVE-2024-24890",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24890",
+    "severity": "High"
+  },
+  "CVE-2023-2426": {
+    "id": "CVE-2023-2426",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2426",
+    "severity": "Medium"
+  },
+  "CVE-2021-0326": {
+    "id": "CVE-2021-0326",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0326",
+    "severity": "High"
+  },
+  "CVE-2022-21233": {
+    "id": "CVE-2022-21233",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21233",
+    "severity": "Medium"
+  },
+  "CVE-2023-50868": {
+    "id": "CVE-2023-50868",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868",
+    "severity": "High"
+  },
+  "CVE-2022-47629": {
+    "id": "CVE-2022-47629",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47629",
+    "severity": "Medium"
+  },
+  "CVE-2021-27918": {
+    "id": "CVE-2021-27918",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
+    "severity": "High"
+  },
+  "CVE-2021-3504": {
+    "id": "CVE-2021-3504",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3504",
+    "severity": "High"
+  },
+  "CVE-2021-33655": {
+    "id": "CVE-2021-33655",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33655",
+    "severity": "Medium"
+  },
+  "CVE-2022-3517": {
+    "id": "CVE-2022-3517",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517",
+    "severity": "High"
+  },
+  "CVE-2022-2585": {
+    "id": "CVE-2022-2585",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2585",
+    "severity": "High"
+  },
+  "CVE-2023-32697": {
+    "id": "CVE-2023-32697",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32697",
+    "severity": "Critical"
+  },
+  "CVE-2023-0614": {
+    "id": "CVE-2023-0614",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0614",
+    "severity": "Medium"
+  },
+  "CVE-2021-43618": {
+    "id": "CVE-2021-43618",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43618",
+    "severity": "High"
+  },
+  "CVE-2021-33061": {
+    "id": "CVE-2021-33061",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33061",
+    "severity": "Medium"
+  },
+  "CVE-2024-25617": {
+    "id": "CVE-2024-25617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25617",
+    "severity": "Medium"
+  },
+  "CVE-2020-26570": {
+    "id": "CVE-2020-26570",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26570",
+    "severity": "Medium"
+  },
+  "CVE-2023-43641": {
+    "id": "CVE-2023-43641",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43641",
+    "severity": "High"
+  },
+  "CVE-2022-3190": {
+    "id": "CVE-2022-3190",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3190",
+    "severity": "Medium"
+  },
+  "CVE-2023-5366": {
+    "id": "CVE-2023-5366",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5366",
+    "severity": "High"
+  },
+  "CVE-2023-51385": {
+    "id": "CVE-2023-51385",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+    "severity": "Critical"
+  },
+  "CVE-2021-3421": {
+    "id": "CVE-2021-3421",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3421",
+    "severity": "Medium"
+  },
+  "CVE-2021-21707": {
+    "id": "CVE-2021-21707",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21707",
+    "severity": "Medium"
+  },
+  "CVE-2022-34169": {
+    "id": "CVE-2022-34169",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169",
+    "severity": "Medium"
+  },
+  "CVE-2022-2602": {
+    "id": "CVE-2022-2602",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2602",
+    "severity": "Medium"
+  },
+  "CVE-2024-6387": {
+    "id": "CVE-2024-6387",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6387",
+    "severity": "High"
+  },
+  "CVE-2022-1886": {
+    "id": "CVE-2022-1886",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1886",
+    "severity": "Critical"
+  },
+  "CVE-2021-20095": {
+    "id": "CVE-2021-20095",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20095",
+    "severity": "High"
+  },
+  "CVE-2023-32233": {
+    "id": "CVE-2023-32233",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32233",
+    "severity": "Medium"
+  },
+  "CVE-2020-18770": {
+    "id": "CVE-2020-18770",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18770",
+    "severity": "Medium"
+  },
+  "CVE-2021-46822": {
+    "id": "CVE-2021-46822",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46822",
+    "severity": "Medium"
+  },
+  "CVE-2022-32250": {
+    "id": "CVE-2022-32250",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32250",
+    "severity": "Medium"
+  },
+  "CVE-2022-24882": {
+    "id": "CVE-2022-24882",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24882",
+    "severity": "Critical"
+  },
+  "CVE-2023-6915": {
+    "id": "CVE-2023-6915",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915",
+    "severity": "High"
+  },
+  "CVE-2022-1115": {
+    "id": "CVE-2022-1115",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115",
+    "severity": "Medium"
+  },
+  "CVE-2022-32148": {
+    "id": "CVE-2022-32148",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148",
+    "severity": "Medium"
+  },
+  "CVE-2021-30640": {
+    "id": "CVE-2021-30640",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30640",
+    "severity": "Medium"
+  },
+  "CVE-2021-44227": {
+    "id": "CVE-2021-44227",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44227",
+    "severity": "High"
+  },
+  "CVE-2023-42366": {
+    "id": "CVE-2023-42366",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366",
+    "severity": "Medium"
+  },
+  "CVE-2022-31799": {
+    "id": "CVE-2022-31799",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31799",
+    "severity": "Critical"
+  },
+  "CVE-2024-38661": {
+    "id": "CVE-2024-38661",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38661",
+    "severity": "High"
+  },
+  "CVE-2024-24259": {
+    "id": "CVE-2024-24259",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24259",
+    "severity": "High"
+  },
+  "CVE-2023-29409": {
+    "id": "CVE-2023-29409",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+    "severity": "Medium"
+  },
+  "CVE-2021-20257": {
+    "id": "CVE-2021-20257",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20257",
+    "severity": "Medium"
+  },
+  "CVE-2021-41099": {
+    "id": "CVE-2021-41099",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41099",
+    "severity": "High"
+  },
+  "CVE-2024-21626": {
+    "id": "CVE-2024-21626",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626",
+    "severity": "High"
+  },
+  "CVE-2022-21271": {
+    "id": "CVE-2022-21271",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21271",
+    "severity": "Medium"
+  },
+  "CVE-2023-46218": {
+    "id": "CVE-2023-46218",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46218",
+    "severity": "Medium"
+  },
+  "CVE-2020-13867": {
+    "id": "CVE-2020-13867",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13867",
+    "severity": "Medium"
+  },
+  "CVE-2023-26253": {
+    "id": "CVE-2023-26253",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26253",
+    "severity": "High"
+  },
+  "CVE-2019-12402": {
+    "id": "CVE-2019-12402",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12402",
+    "severity": "Critical"
+  },
+  "CVE-2020-12658": {
+    "id": "CVE-2020-12658",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12658",
+    "severity": "Critical"
+  },
+  "CVE-2020-12863": {
+    "id": "CVE-2020-12863",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12863",
+    "severity": "Medium"
+  },
+  "CVE-2020-9492": {
+    "id": "CVE-2020-9492",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9492",
+    "severity": "High"
+  },
+  "CVE-2024-34064": {
+    "id": "CVE-2024-34064",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064",
+    "severity": "Medium"
+  },
+  "CVE-2021-3326": {
+    "id": "CVE-2021-3326",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3326",
+    "severity": "Medium"
+  },
+  "CVE-2023-6931": {
+    "id": "CVE-2023-6931",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6931",
+    "severity": "Medium"
+  },
+  "CVE-2022-24999": {
+    "id": "CVE-2022-24999",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+    "severity": "High"
+  },
+  "CVE-2021-22570": {
+    "id": "CVE-2021-22570",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570",
+    "severity": "High"
+  },
+  "CVE-2021-2160": {
+    "id": "CVE-2021-2160",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2160",
+    "severity": "Medium"
+  },
+  "CVE-2019-17362": {
+    "id": "CVE-2019-17362",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17362",
+    "severity": "Critical"
+  },
+  "CVE-2021-20289": {
+    "id": "CVE-2021-20289",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
+    "severity": "Medium"
+  },
+  "CVE-2021-39272": {
+    "id": "CVE-2021-39272",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39272",
+    "severity": "Medium"
+  },
+  "CVE-2023-43907": {
+    "id": "CVE-2023-43907",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43907",
+    "severity": "High"
+  },
+  "CVE-2021-29478": {
+    "id": "CVE-2021-29478",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29478",
+    "severity": "High"
+  },
+  "CVE-2021-4213": {
+    "id": "CVE-2021-4213",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4213",
+    "severity": "High"
+  },
+  "CVE-2024-37535": {
+    "id": "CVE-2024-37535",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
+    "severity": "Low"
+  },
+  "CVE-2018-2799": {
+    "id": "CVE-2018-2799",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2799",
+    "severity": "Medium"
+  },
+  "CVE-2023-38546": {
+    "id": "CVE-2023-38546",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38546",
+    "severity": "High"
+  },
+  "CVE-2015-1197": {
+    "id": "CVE-2015-1197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1197",
+    "severity": "Low"
+  },
+  "CVE-2020-7069": {
+    "id": "CVE-2020-7069",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7069",
+    "severity": "Critical"
+  },
+  "CVE-2020-25654": {
+    "id": "CVE-2020-25654",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25654",
+    "severity": "High"
+  },
+  "CVE-2021-32142": {
+    "id": "CVE-2021-32142",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+    "severity": "High"
+  },
+  "CVE-2021-40812": {
+    "id": "CVE-2021-40812",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40812",
+    "severity": "Medium"
+  },
+  "CVE-2023-31147": {
+    "id": "CVE-2023-31147",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147",
+    "severity": "Medium"
+  },
+  "CVE-2023-29403": {
+    "id": "CVE-2023-29403",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29403",
+    "severity": "High"
+  },
+  "CVE-2020-24455": {
+    "id": "CVE-2020-24455",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24455",
+    "severity": "Medium"
+  },
+  "CVE-2022-30522": {
+    "id": "CVE-2022-30522",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30522",
+    "severity": "Medium"
+  },
+  "CVE-2023-6681": {
+    "id": "CVE-2023-6681",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6681",
+    "severity": "Medium"
+  },
+  "CVE-2020-14093": {
+    "id": "CVE-2020-14093",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14093",
+    "severity": "Medium"
+  },
+  "CVE-2023-50967": {
+    "id": "CVE-2023-50967",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50967",
+    "severity": "Low"
+  },
+  "CVE-2022-4904": {
+    "id": "CVE-2022-4904",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904",
+    "severity": "Medium"
+  },
+  "CVE-2021-38198": {
+    "id": "CVE-2021-38198",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38198",
+    "severity": "Medium"
+  },
+  "CVE-2022-1852": {
+    "id": "CVE-2022-1852",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1852",
+    "severity": "Medium"
+  },
+  "CVE-2021-46143": {
+    "id": "CVE-2021-46143",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143",
+    "severity": "High"
+  },
+  "CVE-2023-3316": {
+    "id": "CVE-2023-3316",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3316",
+    "severity": "High"
+  },
+  "CVE-2020-25648": {
+    "id": "CVE-2020-25648",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25648",
+    "severity": "Medium"
+  },
+  "CVE-2024-22705": {
+    "id": "CVE-2024-22705",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705",
+    "severity": "Medium"
+  },
+  "CVE-2020-15103": {
+    "id": "CVE-2020-15103",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15103",
+    "severity": "Low"
+  },
+  "CVE-2021-40438": {
+    "id": "CVE-2021-40438",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40438",
+    "severity": "High"
+  },
+  "CVE-2021-23362": {
+    "id": "CVE-2021-23362",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362",
+    "severity": "Medium"
+  },
+  "CVE-2020-27821": {
+    "id": "CVE-2020-27821",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27821",
+    "severity": "Medium"
+  },
+  "CVE-2022-20368": {
+    "id": "CVE-2022-20368",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20368",
+    "severity": "Critical"
+  },
+  "CVE-2023-37327": {
+    "id": "CVE-2023-37327",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37327",
+    "severity": "Medium"
+  },
+  "CVE-2023-51781": {
+    "id": "CVE-2023-51781",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51781",
+    "severity": "High"
+  },
+  "CVE-2021-2301": {
+    "id": "CVE-2021-2301",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2301",
+    "severity": "Medium"
+  },
+  "CVE-2023-34969": {
+    "id": "CVE-2023-34969",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969",
+    "severity": "Medium"
+  },
+  "CVE-2023-2908": {
+    "id": "CVE-2023-2908",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2908",
+    "severity": "Medium"
+  },
+  "CVE-2022-2806": {
+    "id": "CVE-2022-2806",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2806",
+    "severity": "Medium"
+  },
+  "CVE-2021-44040": {
+    "id": "CVE-2021-44040",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44040",
+    "severity": "High"
+  },
+  "CVE-2021-45463": {
+    "id": "CVE-2021-45463",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45463",
+    "severity": "High"
+  },
+  "CVE-2023-24534": {
+    "id": "CVE-2023-24534",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
+    "severity": "High"
+  },
+  "CVE-2020-10650": {
+    "id": "CVE-2020-10650",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10650",
+    "severity": "High"
+  },
+  "CVE-2021-28861": {
+    "id": "CVE-2021-28861",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28861",
+    "severity": "High"
+  },
+  "CVE-2022-36227": {
+    "id": "CVE-2022-36227",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227",
+    "severity": "Critical"
+  },
+  "CVE-2022-23648": {
+    "id": "CVE-2022-23648",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23648",
+    "severity": "High"
+  },
+  "CVE-2023-4693": {
+    "id": "CVE-2023-4693",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4693",
+    "severity": "High"
+  },
+  "CVE-2023-22795": {
+    "id": "CVE-2023-22795",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22795",
+    "severity": "High"
+  },
+  "CVE-2021-42739": {
+    "id": "CVE-2021-42739",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42739",
+    "severity": "Medium"
+  },
+  "CVE-2022-0135": {
+    "id": "CVE-2022-0135",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0135",
+    "severity": "High"
+  },
+  "CVE-2023-24626": {
+    "id": "CVE-2023-24626",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24626",
+    "severity": "Medium"
+  },
+  "CVE-2023-28486": {
+    "id": "CVE-2023-28486",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28486",
+    "severity": "Medium"
+  },
+  "CVE-2021-40633": {
+    "id": "CVE-2021-40633",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+    "severity": "High"
+  },
+  "CVE-2022-24834": {
+    "id": "CVE-2022-24834",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24834",
+    "severity": "High"
+  },
+  "CVE-2022-24052": {
+    "id": "CVE-2022-24052",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24052",
+    "severity": "High"
+  },
+  "CVE-2024-32465": {
+    "id": "CVE-2024-32465",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32465",
+    "severity": "Critical"
+  },
+  "CVE-2024-27281": {
+    "id": "CVE-2024-27281",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27281",
+    "severity": "Low"
+  },
+  "CVE-2022-21724": {
+    "id": "CVE-2022-21724",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21724",
+    "severity": "High"
+  },
+  "CVE-2022-24836": {
+    "id": "CVE-2022-24836",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836",
+    "severity": "High"
+  },
+  "CVE-2022-4064": {
+    "id": "CVE-2022-4064",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4064",
+    "severity": "Low"
+  },
+  "CVE-2022-4842": {
+    "id": "CVE-2022-4842",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4842",
+    "severity": "High"
+  },
+  "CVE-2021-29509": {
+    "id": "CVE-2021-29509",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509",
+    "severity": "High"
+  },
+  "CVE-2021-38575": {
+    "id": "CVE-2021-38575",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38575",
+    "severity": "High"
+  },
+  "CVE-2020-13848": {
+    "id": "CVE-2020-13848",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13848",
+    "severity": "High"
+  },
+  "CVE-2021-3715": {
+    "id": "CVE-2021-3715",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3715",
+    "severity": "High"
+  },
+  "CVE-2019-17544": {
+    "id": "CVE-2019-17544",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17544",
+    "severity": "Critical"
+  },
+  "CVE-2021-36370": {
+    "id": "CVE-2021-36370",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36370",
+    "severity": "High"
+  },
+  "CVE-2021-41103": {
+    "id": "CVE-2021-41103",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103",
+    "severity": "High"
+  },
+  "CVE-2021-3445": {
+    "id": "CVE-2021-3445",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3445",
+    "severity": "High"
+  },
+  "CVE-2021-21240": {
+    "id": "CVE-2021-21240",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240",
+    "severity": "High"
+  },
+  "CVE-2021-22926": {
+    "id": "CVE-2021-22926",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926",
+    "severity": "Low"
+  },
+  "CVE-2021-20270": {
+    "id": "CVE-2021-20270",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20270",
+    "severity": "High"
+  },
+  "CVE-2020-25657": {
+    "id": "CVE-2020-25657",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25657",
+    "severity": "Medium"
+  },
+  "CVE-2021-33621": {
+    "id": "CVE-2021-33621",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33621",
+    "severity": "High"
+  },
+  "CVE-2022-43995": {
+    "id": "CVE-2022-43995",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43995",
+    "severity": "High"
+  },
+  "CVE-2023-22745": {
+    "id": "CVE-2023-22745",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22745",
+    "severity": "Medium"
+  },
+  "CVE-2021-47401": {
+    "id": "CVE-2021-47401",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47401",
+    "severity": "Medium"
+  },
+  "CVE-2022-45934": {
+    "id": "CVE-2022-45934",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45934",
+    "severity": "High"
+  },
+  "CVE-2023-45675": {
+    "id": "CVE-2023-45675",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45675",
+    "severity": "High"
+  },
+  "CVE-2023-51782": {
+    "id": "CVE-2023-51782",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51782",
+    "severity": "Medium"
+  },
+  "CVE-2021-3622": {
+    "id": "CVE-2021-3622",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3622",
+    "severity": "Medium"
+  },
+  "CVE-2021-33910": {
+    "id": "CVE-2021-33910",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33910",
+    "severity": "Medium"
+  },
+  "CVE-2019-18281": {
+    "id": "CVE-2019-18281",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18281",
+    "severity": "Medium"
+  },
+  "CVE-2022-21702": {
+    "id": "CVE-2022-21702",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21702",
+    "severity": "Medium"
+  },
+  "CVE-2022-39399": {
+    "id": "CVE-2022-39399",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39399",
+    "severity": "Medium"
+  },
+  "CVE-2019-20433": {
+    "id": "CVE-2019-20433",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20433",
+    "severity": "Medium"
+  },
+  "CVE-2024-2398": {
+    "id": "CVE-2024-2398",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398",
+    "severity": "Medium"
+  },
+  "CVE-2022-20698": {
+    "id": "CVE-2022-20698",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20698",
+    "severity": "High"
+  },
+  "CVE-2023-34059": {
+    "id": "CVE-2023-34059",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34059",
+    "severity": "High"
+  },
+  "CVE-2024-28219": {
+    "id": "CVE-2024-28219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28219",
+    "severity": "Medium"
+  },
+  "CVE-2021-33639": {
+    "id": "CVE-2021-33639",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33639",
+    "severity": "Medium"
+  },
+  "CVE-2023-41164": {
+    "id": "CVE-2023-41164",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41164",
+    "severity": "Medium"
+  },
+  "CVE-2023-3301": {
+    "id": "CVE-2023-3301",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3301",
+    "severity": "Medium"
+  },
+  "CVE-2022-45141": {
+    "id": "CVE-2022-45141",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45141",
+    "severity": "High"
+  },
+  "CVE-2021-46142": {
+    "id": "CVE-2021-46142",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46142",
+    "severity": "Medium"
+  },
+  "CVE-2022-3424": {
+    "id": "CVE-2022-3424",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3424",
+    "severity": "Medium"
+  },
+  "CVE-2022-40090": {
+    "id": "CVE-2022-40090",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40090",
+    "severity": "Medium"
+  },
+  "CVE-2022-1355": {
+    "id": "CVE-2022-1355",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1355",
+    "severity": "High"
+  },
+  "CVE-2023-6932": {
+    "id": "CVE-2023-6932",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932",
+    "severity": "Medium"
+  },
+  "CVE-2022-3256": {
+    "id": "CVE-2022-3256",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3256",
+    "severity": "High"
+  },
+  "CVE-2021-3517": {
+    "id": "CVE-2021-3517",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3517",
+    "severity": "Medium"
+  },
+  "CVE-2021-45046": {
+    "id": "CVE-2021-45046",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
+    "severity": "Critical"
+  },
+  "CVE-2021-20203": {
+    "id": "CVE-2021-20203",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20203",
+    "severity": "Medium"
+  },
+  "CVE-2024-1013": {
+    "id": "CVE-2024-1013",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+    "severity": "High"
+  },
+  "CVE-2023-33461": {
+    "id": "CVE-2023-33461",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33461",
+    "severity": "Medium"
+  },
+  "CVE-2021-3572": {
+    "id": "CVE-2021-3572",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3572",
+    "severity": "Medium"
+  },
+  "CVE-2022-45059": {
+    "id": "CVE-2022-45059",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45059",
+    "severity": "High"
+  },
+  "CVE-2020-35518": {
+    "id": "CVE-2020-35518",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35518",
+    "severity": "Medium"
+  },
+  "CVE-2020-35492": {
+    "id": "CVE-2020-35492",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35492",
+    "severity": "High"
+  },
+  "CVE-2023-0667": {
+    "id": "CVE-2023-0667",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0667",
+    "severity": "Medium"
+  },
+  "CVE-2021-44832": {
+    "id": "CVE-2021-44832",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832",
+    "severity": "High"
+  },
+  "CVE-2024-0607": {
+    "id": "CVE-2024-0607",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0607",
+    "severity": "High"
+  },
+  "CVE-2019-10156": {
+    "id": "CVE-2019-10156",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10156",
+    "severity": "Medium"
+  },
+  "CVE-2017-12596": {
+    "id": "CVE-2017-12596",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12596",
+    "severity": "Medium"
+  },
+  "CVE-2020-28196": {
+    "id": "CVE-2020-28196",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28196",
+    "severity": "High"
+  },
+  "CVE-2023-25950": {
+    "id": "CVE-2023-25950",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25950",
+    "severity": "Critical"
+  },
+  "CVE-2022-48281": {
+    "id": "CVE-2022-48281",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48281",
+    "severity": "High"
+  },
+  "CVE-2023-43642": {
+    "id": "CVE-2023-43642",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642",
+    "severity": "High"
+  },
+  "CVE-2023-24805": {
+    "id": "CVE-2023-24805",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24805",
+    "severity": "High"
+  },
+  "CVE-2019-7575": {
+    "id": "CVE-2019-7575",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7575",
+    "severity": "High"
+  },
+  "CVE-2022-1215": {
+    "id": "CVE-2022-1215",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1215",
+    "severity": "High"
+  },
+  "CVE-2020-27837": {
+    "id": "CVE-2020-27837",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27837",
+    "severity": "Medium"
+  },
+  "CVE-2021-3605": {
+    "id": "CVE-2021-3605",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3605",
+    "severity": "Medium"
+  },
+  "CVE-2023-1436": {
+    "id": "CVE-2023-1436",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+    "severity": "High"
+  },
+  "CVE-2023-35789": {
+    "id": "CVE-2023-35789",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35789",
+    "severity": "Medium"
+  },
+  "CVE-2021-3560": {
+    "id": "CVE-2021-3560",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3560",
+    "severity": "High"
+  },
+  "CVE-2020-25713": {
+    "id": "CVE-2020-25713",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25713",
+    "severity": "Medium"
+  },
+  "CVE-2020-14001": {
+    "id": "CVE-2020-14001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14001",
+    "severity": "Critical"
+  },
+  "CVE-2023-1906": {
+    "id": "CVE-2023-1906",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906",
+    "severity": "Medium"
+  },
+  "CVE-2023-39410": {
+    "id": "CVE-2023-39410",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410",
+    "severity": "High"
+  },
+  "CVE-2022-2588": {
+    "id": "CVE-2022-2588",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2588",
+    "severity": "Medium"
+  },
+  "CVE-2023-6693": {
+    "id": "CVE-2023-6693",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
+    "severity": "Medium"
+  },
+  "CVE-2022-1348": {
+    "id": "CVE-2022-1348",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1348",
+    "severity": "Medium"
+  },
+  "CVE-2023-42753": {
+    "id": "CVE-2023-42753",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
+    "severity": "High"
+  },
+  "CVE-2024-1488": {
+    "id": "CVE-2024-1488",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1488",
+    "severity": "High"
+  },
+  "CVE-2024-35930": {
+    "id": "CVE-2024-35930",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930",
+    "severity": "Medium"
+  },
+  "CVE-2022-44792": {
+    "id": "CVE-2022-44792",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44792",
+    "severity": "Medium"
+  },
+  "CVE-2020-28163": {
+    "id": "CVE-2020-28163",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28163",
+    "severity": "Medium"
+  },
+  "CVE-2023-4513": {
+    "id": "CVE-2023-4513",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4513",
+    "severity": "Medium"
+  },
+  "CVE-2021-28041": {
+    "id": "CVE-2021-28041",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28041",
+    "severity": "High"
+  },
+  "CVE-2022-41974": {
+    "id": "CVE-2022-41974",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41974",
+    "severity": "High"
+  },
+  "CVE-2024-27316": {
+    "id": "CVE-2024-27316",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27316",
+    "severity": "Medium"
+  },
+  "CVE-2021-3700": {
+    "id": "CVE-2021-3700",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3700",
+    "severity": "Low"
+  },
+  "CVE-2021-37501": {
+    "id": "CVE-2021-37501",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37501",
+    "severity": "Medium"
+  },
+  "CVE-2021-39151": {
+    "id": "CVE-2021-39151",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151",
+    "severity": "High"
+  },
+  "CVE-2022-21322": {
+    "id": "CVE-2022-21322",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21322",
+    "severity": "Medium"
+  },
+  "CVE-2024-0911": {
+    "id": "CVE-2024-0911",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0911",
+    "severity": "Medium"
+  },
+  "CVE-2023-1161": {
+    "id": "CVE-2023-1161",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1161",
+    "severity": "High"
+  },
+  "CVE-2022-3586": {
+    "id": "CVE-2022-3586",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586",
+    "severity": "Medium"
+  },
+  "CVE-2021-4115": {
+    "id": "CVE-2021-4115",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4115",
+    "severity": "Medium"
+  },
+  "CVE-2020-36774": {
+    "id": "CVE-2020-36774",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36774",
+    "severity": "Medium"
+  },
+  "CVE-2024-24790": {
+    "id": "CVE-2024-24790",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790",
+    "severity": "Critical"
+  },
+  "CVE-2023-3358": {
+    "id": "CVE-2023-3358",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
+    "severity": "High"
+  },
+  "CVE-2022-2047": {
+    "id": "CVE-2022-2047",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047",
+    "severity": "High"
+  },
+  "CVE-2020-23064": {
+    "id": "CVE-2020-23064",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23064",
+    "severity": "Medium"
+  },
+  "CVE-2022-1664": {
+    "id": "CVE-2022-1664",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1664",
+    "severity": "Medium"
+  },
+  "CVE-2023-45648": {
+    "id": "CVE-2023-45648",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648",
+    "severity": "Medium"
+  },
+  "CVE-2021-25219": {
+    "id": "CVE-2021-25219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25219",
+    "severity": "Medium"
+  },
+  "CVE-2021-43331": {
+    "id": "CVE-2021-43331",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43331",
+    "severity": "Medium"
+  },
+  "CVE-2024-30156": {
+    "id": "CVE-2024-30156",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30156",
+    "severity": "High"
+  },
+  "CVE-2020-0499": {
+    "id": "CVE-2020-0499",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0499",
+    "severity": "Medium"
+  },
+  "CVE-2024-26583": {
+    "id": "CVE-2024-26583",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583",
+    "severity": "High"
+  },
+  "CVE-2023-45288": {
+    "id": "CVE-2023-45288",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
+    "severity": "High"
+  },
+  "CVE-2022-0617": {
+    "id": "CVE-2022-0617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0617",
+    "severity": "Medium"
+  },
+  "CVE-2021-3918": {
+    "id": "CVE-2021-3918",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
+    "severity": "Medium"
+  },
+  "CVE-2022-28327": {
+    "id": "CVE-2022-28327",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28327",
+    "severity": "Medium"
+  },
+  "CVE-2020-25690": {
+    "id": "CVE-2020-25690",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25690",
+    "severity": "High"
+  },
+  "CVE-2021-2163": {
+    "id": "CVE-2021-2163",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2163",
+    "severity": "Medium"
+  },
+  "CVE-2021-33640": {
+    "id": "CVE-2021-33640",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33640",
+    "severity": "Medium"
+  },
+  "CVE-2020-7729": {
+    "id": "CVE-2020-7729",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729",
+    "severity": "High"
+  },
+  "CVE-2022-0396": {
+    "id": "CVE-2022-0396",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0396",
+    "severity": "Medium"
+  },
+  "CVE-2023-52868": {
+    "id": "CVE-2023-52868",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868",
+    "severity": "Low"
+  },
+  "CVE-2024-4854": {
+    "id": "CVE-2024-4854",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4854",
+    "severity": "Medium"
+  },
+  "CVE-2024-3596": {
+    "id": "CVE-2024-3596",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3596",
+    "severity": "High"
+  },
+  "CVE-2022-38266": {
+    "id": "CVE-2022-38266",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38266",
+    "severity": "Medium"
+  },
+  "CVE-2021-22543": {
+    "id": "CVE-2021-22543",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22543",
+    "severity": "High"
+  },
+  "CVE-2007-4559": {
+    "id": "CVE-2007-4559",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
+    "severity": "Medium"
+  },
+  "CVE-2020-24165": {
+    "id": "CVE-2020-24165",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24165",
+    "severity": "Medium"
+  },
+  "CVE-2023-28625": {
+    "id": "CVE-2023-28625",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28625",
+    "severity": "Medium"
+  },
+  "CVE-2022-48522": {
+    "id": "CVE-2022-48522",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522",
+    "severity": "Medium"
+  },
+  "CVE-2024-23301": {
+    "id": "CVE-2024-23301",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23301",
+    "severity": "High"
+  },
+  "CVE-2022-45406": {
+    "id": "CVE-2022-45406",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45406",
+    "severity": "High"
+  },
+  "CVE-2020-27153": {
+    "id": "CVE-2020-27153",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27153",
+    "severity": "High"
+  },
+  "CVE-2022-3171": {
+    "id": "CVE-2022-3171",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
+    "severity": "High"
+  },
+  "CVE-2021-42384": {
+    "id": "CVE-2021-42384",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384",
+    "severity": "High"
+  },
+  "CVE-2023-28708": {
+    "id": "CVE-2023-28708",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28708",
+    "severity": "Medium"
+  },
+  "CVE-2021-3658": {
+    "id": "CVE-2021-3658",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3658",
+    "severity": "Medium"
+  },
+  "CVE-2021-30465": {
+    "id": "CVE-2021-30465",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30465",
+    "severity": "High"
+  },
+  "CVE-2023-29491": {
+    "id": "CVE-2023-29491",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491",
+    "severity": "High"
+  },
+  "CVE-2023-38403": {
+    "id": "CVE-2023-38403",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38403",
+    "severity": "Medium"
+  },
+  "CVE-2021-2032": {
+    "id": "CVE-2021-2032",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2032",
+    "severity": "Medium"
+  },
+  "CVE-2021-3505": {
+    "id": "CVE-2021-3505",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3505",
+    "severity": "Medium"
+  },
+  "CVE-2021-3929": {
+    "id": "CVE-2021-3929",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3929",
+    "severity": "High"
+  },
+  "CVE-2024-35849": {
+    "id": "CVE-2024-35849",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849",
+    "severity": "Medium"
+  },
+  "CVE-2020-29050": {
+    "id": "CVE-2020-29050",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29050",
+    "severity": "High"
+  },
+  "CVE-2021-23926": {
+    "id": "CVE-2021-23926",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23926",
+    "severity": "Critical"
+  },
+  "CVE-2019-25013": {
+    "id": "CVE-2019-25013",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25013",
+    "severity": "Medium"
+  },
+  "CVE-2024-32230": {
+    "id": "CVE-2024-32230",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
+    "severity": "Medium"
+  },
+  "CVE-2022-28347": {
+    "id": "CVE-2022-28347",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28347",
+    "severity": "Critical"
+  },
+  "CVE-2023-45853": {
+    "id": "CVE-2023-45853",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
+    "severity": "Critical"
+  },
+  "CVE-2021-42374": {
+    "id": "CVE-2021-42374",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374",
+    "severity": "Critical"
+  },
+  "CVE-2022-41716": {
+    "id": "CVE-2022-41716",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41716",
+    "severity": "High"
+  },
+  "CVE-2021-32627": {
+    "id": "CVE-2021-32627",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32627",
+    "severity": "High"
+  },
+  "CVE-2022-0670": {
+    "id": "CVE-2022-0670",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0670",
+    "severity": "Critical"
+  },
+  "CVE-2022-20423": {
+    "id": "CVE-2022-20423",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20423",
+    "severity": "Medium"
+  },
+  "CVE-2024-24680": {
+    "id": "CVE-2024-24680",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+    "severity": "High"
+  },
+  "CVE-2021-29922": {
+    "id": "CVE-2021-29922",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29922",
+    "severity": "Critical"
+  },
+  "CVE-2021-27845": {
+    "id": "CVE-2021-27845",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27845",
+    "severity": "Medium"
+  },
+  "CVE-2021-3750": {
+    "id": "CVE-2021-3750",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3750",
+    "severity": "High"
+  },
+  "CVE-2022-41725": {
+    "id": "CVE-2022-41725",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725",
+    "severity": "High"
+  },
+  "CVE-2022-42721": {
+    "id": "CVE-2022-42721",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42721",
+    "severity": "Medium"
+  },
+  "CVE-2022-0711": {
+    "id": "CVE-2022-0711",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0711",
+    "severity": "High"
+  },
+  "CVE-2023-47641": {
+    "id": "CVE-2023-47641",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47641",
+    "severity": "Low"
+  },
+  "CVE-2021-45444": {
+    "id": "CVE-2021-45444",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45444",
+    "severity": "High"
+  },
+  "CVE-2022-2058": {
+    "id": "CVE-2022-2058",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2058",
+    "severity": "Medium"
+  },
+  "CVE-2021-47372": {
+    "id": "CVE-2021-47372",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47372",
+    "severity": "Medium"
+  },
+  "CVE-2024-28834": {
+    "id": "CVE-2024-28834",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28834",
+    "severity": "Medium"
+  },
+  "CVE-2016-9843": {
+    "id": "CVE-2016-9843",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9843",
+    "severity": "High"
+  },
+  "CVE-2021-3621": {
+    "id": "CVE-2021-3621",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3621",
+    "severity": "Medium"
+  },
+  "CVE-2022-2414": {
+    "id": "CVE-2022-2414",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2414",
+    "severity": "High"
+  },
+  "CVE-2022-36021": {
+    "id": "CVE-2022-36021",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36021",
+    "severity": "Medium"
+  },
+  "CVE-2022-41409": {
+    "id": "CVE-2022-41409",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409",
+    "severity": "High"
+  },
+  "CVE-2022-47015": {
+    "id": "CVE-2022-47015",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47015",
+    "severity": "High"
+  },
+  "CVE-2023-3164": {
+    "id": "CVE-2023-3164",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3164",
+    "severity": "Medium"
+  },
+  "CVE-2021-0129": {
+    "id": "CVE-2021-0129",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0129",
+    "severity": "Critical"
+  },
+  "CVE-2024-36940": {
+    "id": "CVE-2024-36940",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940",
+    "severity": "Medium"
+  },
+  "CVE-2022-40897": {
+    "id": "CVE-2022-40897",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897",
+    "severity": "High"
+  },
+  "CVE-2023-39929": {
+    "id": "CVE-2023-39929",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39929",
+    "severity": "Medium"
+  },
+  "CVE-2023-43787": {
+    "id": "CVE-2023-43787",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43787",
+    "severity": "Medium"
+  },
+  "CVE-2022-0897": {
+    "id": "CVE-2022-0897",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0897",
+    "severity": "Medium"
+  },
+  "CVE-2022-1271": {
+    "id": "CVE-2022-1271",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271",
+    "severity": "High"
+  },
+  "CVE-2018-3848": {
+    "id": "CVE-2018-3848",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3848",
+    "severity": "High"
+  },
+  "CVE-2023-37920": {
+    "id": "CVE-2023-37920",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37920",
+    "severity": "High"
+  },
+  "CVE-2020-21687": {
+    "id": "CVE-2020-21687",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21687",
+    "severity": "Medium"
+  },
+  "CVE-2022-24614": {
+    "id": "CVE-2022-24614",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24614",
+    "severity": "Medium"
+  },
+  "CVE-2023-1672": {
+    "id": "CVE-2023-1672",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1672",
+    "severity": "Medium"
+  },
+  "CVE-2021-32626": {
+    "id": "CVE-2021-32626",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32626",
+    "severity": "High"
+  },
+  "CVE-2019-12779": {
+    "id": "CVE-2019-12779",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12779",
+    "severity": "High"
+  },
+  "CVE-2020-15025": {
+    "id": "CVE-2020-15025",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15025",
+    "severity": "Medium"
+  },
+  "CVE-2022-30767": {
+    "id": "CVE-2022-30767",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30767",
+    "severity": "Critical"
+  },
+  "CVE-2021-3770": {
+    "id": "CVE-2021-3770",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3770",
+    "severity": "High"
+  },
+  "CVE-2020-26965": {
+    "id": "CVE-2020-26965",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26965",
+    "severity": "Medium"
+  },
+  "CVE-2020-24386": {
+    "id": "CVE-2020-24386",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24386",
+    "severity": "High"
+  },
+  "CVE-2022-40768": {
+    "id": "CVE-2022-40768",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40768",
+    "severity": "Medium"
+  },
+  "CVE-2023-52452": {
+    "id": "CVE-2023-52452",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452",
+    "severity": "Medium"
+  },
+  "CVE-2020-11736": {
+    "id": "CVE-2020-11736",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11736",
+    "severity": "Low"
+  },
+  "CVE-2022-29167": {
+    "id": "CVE-2022-29167",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29167",
+    "severity": "High"
+  },
+  "CVE-2021-32066": {
+    "id": "CVE-2021-32066",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32066",
+    "severity": "High"
+  },
+  "CVE-2021-33634": {
+    "id": "CVE-2021-33634",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33634",
+    "severity": "Medium"
+  },
+  "CVE-2021-3181": {
+    "id": "CVE-2021-3181",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3181",
+    "severity": "Medium"
+  },
+  "CVE-2022-38023": {
+    "id": "CVE-2022-38023",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38023",
+    "severity": "High"
+  },
+  "CVE-2024-26825": {
+    "id": "CVE-2024-26825",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825",
+    "severity": "Medium"
+  },
+  "CVE-2022-24839": {
+    "id": "CVE-2022-24839",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24839",
+    "severity": "High"
+  },
+  "CVE-2023-5178": {
+    "id": "CVE-2023-5178",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178",
+    "severity": "Medium"
+  },
+  "CVE-2023-4785": {
+    "id": "CVE-2023-4785",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785",
+    "severity": "High"
+  },
+  "CVE-2023-2879": {
+    "id": "CVE-2023-2879",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2879",
+    "severity": "High"
+  },
+  "CVE-2021-3479": {
+    "id": "CVE-2021-3479",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3479",
+    "severity": "Medium"
+  },
+  "CVE-2023-2856": {
+    "id": "CVE-2023-2856",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2856",
+    "severity": "Medium"
+  },
+  "CVE-2023-0687": {
+    "id": "CVE-2023-0687",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0687",
+    "severity": "Critical"
+  },
+  "CVE-2022-24736": {
+    "id": "CVE-2022-24736",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24736",
+    "severity": "High"
+  },
+  "CVE-2022-48566": {
+    "id": "CVE-2022-48566",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566",
+    "severity": "High"
+  },
+  "CVE-2022-39282": {
+    "id": "CVE-2022-39282",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39282",
+    "severity": "High"
+  },
+  "CVE-2023-36617": {
+    "id": "CVE-2023-36617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36617",
+    "severity": "Medium"
+  },
+  "CVE-2021-28965": {
+    "id": "CVE-2021-28965",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28965",
+    "severity": "High"
+  },
+  "CVE-2022-28199": {
+    "id": "CVE-2022-28199",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28199",
+    "severity": "High"
+  },
+  "CVE-2021-37600": {
+    "id": "CVE-2021-37600",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37600",
+    "severity": "Critical"
+  },
+  "CVE-2020-14422": {
+    "id": "CVE-2020-14422",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422",
+    "severity": "High"
+  },
+  "CVE-2022-1735": {
+    "id": "CVE-2022-1735",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1735",
+    "severity": "High"
+  },
+  "CVE-2021-3660": {
+    "id": "CVE-2021-3660",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3660",
+    "severity": "Low"
+  },
+  "CVE-2020-15169": {
+    "id": "CVE-2020-15169",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15169",
+    "severity": "Medium"
+  },
+  "CVE-2022-1011": {
+    "id": "CVE-2022-1011",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1011",
+    "severity": "High"
+  },
+  "CVE-2022-36879": {
+    "id": "CVE-2022-36879",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36879",
+    "severity": "Medium"
+  },
+  "CVE-2023-22045": {
+    "id": "CVE-2023-22045",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22045",
+    "severity": "Medium"
+  },
+  "CVE-2024-0690": {
+    "id": "CVE-2024-0690",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690",
+    "severity": "Medium"
+  },
+  "CVE-2021-3246": {
+    "id": "CVE-2021-3246",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3246",
+    "severity": "High"
+  },
+  "CVE-2022-39320": {
+    "id": "CVE-2022-39320",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39320",
+    "severity": "Critical"
+  },
+  "CVE-2022-32547": {
+    "id": "CVE-2022-32547",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547",
+    "severity": "High"
+  },
+  "CVE-2022-3756": {
+    "id": "CVE-2022-3756",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3756",
+    "severity": "High"
+  },
+  "CVE-2022-0685": {
+    "id": "CVE-2022-0685",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0685",
+    "severity": "High"
+  },
+  "CVE-2023-46246": {
+    "id": "CVE-2023-46246",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46246",
+    "severity": "Low"
+  },
+  "CVE-2023-0394": {
+    "id": "CVE-2023-0394",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0394",
+    "severity": "Medium"
+  },
+  "CVE-2019-18853": {
+    "id": "CVE-2019-18853",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18853",
+    "severity": "Low"
+  },
+  "CVE-2020-7062": {
+    "id": "CVE-2020-7062",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7062",
+    "severity": "High"
+  },
+  "CVE-2024-0553": {
+    "id": "CVE-2024-0553",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553",
+    "severity": "Medium"
+  },
+  "CVE-2021-3468": {
+    "id": "CVE-2021-3468",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3468",
+    "severity": "Medium"
+  },
+  "CVE-2022-24302": {
+    "id": "CVE-2022-24302",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24302",
+    "severity": "Medium"
+  },
+  "CVE-2021-30129": {
+    "id": "CVE-2021-30129",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129",
+    "severity": "Medium"
+  },
+  "CVE-2022-30630": {
+    "id": "CVE-2022-30630",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630",
+    "severity": "Medium"
+  },
+  "CVE-2019-12293": {
+    "id": "CVE-2019-12293",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12293",
+    "severity": "High"
+  },
+  "CVE-2023-32324": {
+    "id": "CVE-2023-32324",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32324",
+    "severity": "High"
+  },
+  "CVE-2019-14822": {
+    "id": "CVE-2019-14822",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14822",
+    "severity": "High"
+  },
+  "CVE-2021-36217": {
+    "id": "CVE-2021-36217",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36217",
+    "severity": "Medium"
+  },
+  "CVE-2021-22945": {
+    "id": "CVE-2021-22945",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945",
+    "severity": "Medium"
+  },
+  "CVE-2023-44444": {
+    "id": "CVE-2023-44444",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44444",
+    "severity": "High"
+  },
+  "CVE-2022-40743": {
+    "id": "CVE-2022-40743",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40743",
+    "severity": "High"
+  },
+  "CVE-2023-28617": {
+    "id": "CVE-2023-28617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28617",
+    "severity": "Critical"
+  },
+  "CVE-2023-33733": {
+    "id": "CVE-2023-33733",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33733",
+    "severity": "High"
+  },
+  "CVE-2020-27764": {
+    "id": "CVE-2020-27764",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27764",
+    "severity": "Medium"
+  },
+  "CVE-2023-39418": {
+    "id": "CVE-2023-39418",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418",
+    "severity": "High"
+  },
+  "CVE-2022-41717": {
+    "id": "CVE-2022-41717",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
+    "severity": "Medium"
+  },
+  "CVE-2023-24329": {
+    "id": "CVE-2023-24329",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329",
+    "severity": "High"
+  },
+  "CVE-2024-28085": {
+    "id": "CVE-2024-28085",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085",
+    "severity": "Low"
+  },
+  "CVE-2021-20269": {
+    "id": "CVE-2021-20269",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20269",
+    "severity": "Medium"
+  },
+  "CVE-2021-42781": {
+    "id": "CVE-2021-42781",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42781",
+    "severity": "Medium"
+  },
+  "CVE-2021-3631": {
+    "id": "CVE-2021-3631",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3631",
+    "severity": "Medium"
+  },
+  "CVE-2020-28914": {
+    "id": "CVE-2020-28914",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28914",
+    "severity": "High"
+  },
+  "CVE-2021-0146": {
+    "id": "CVE-2021-0146",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0146",
+    "severity": "High"
+  },
+  "CVE-2021-36374": {
+    "id": "CVE-2021-36374",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36374",
+    "severity": "Medium"
+  },
+  "CVE-2022-27664": {
+    "id": "CVE-2022-27664",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
+    "severity": "High"
+  },
+  "CVE-2021-3544": {
+    "id": "CVE-2021-3544",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3544",
+    "severity": "High"
+  },
+  "CVE-2022-3775": {
+    "id": "CVE-2022-3775",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3775",
+    "severity": "Medium"
+  },
+  "CVE-2023-0464": {
+    "id": "CVE-2023-0464",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464",
+    "severity": "High"
+  },
+  "CVE-2022-0436": {
+    "id": "CVE-2022-0436",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0436",
+    "severity": "Medium"
+  },
+  "CVE-2023-26136": {
+    "id": "CVE-2023-26136",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136",
+    "severity": "Critical"
+  },
+  "CVE-2024-1597": {
+    "id": "CVE-2024-1597",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1597",
+    "severity": "Critical"
+  },
+  "CVE-2022-47024": {
+    "id": "CVE-2022-47024",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47024",
+    "severity": "High"
+  },
+  "CVE-2021-33516": {
+    "id": "CVE-2021-33516",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33516",
+    "severity": "High"
+  },
+  "CVE-2023-5981": {
+    "id": "CVE-2023-5981",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5981",
+    "severity": "Medium"
+  },
+  "CVE-2022-48624": {
+    "id": "CVE-2022-48624",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48624",
+    "severity": "Low"
+  },
+  "CVE-2023-21967": {
+    "id": "CVE-2023-21967",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21967",
+    "severity": "Medium"
+  },
+  "CVE-2023-22084": {
+    "id": "CVE-2023-22084",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22084",
+    "severity": "Medium"
+  },
+  "CVE-2022-24070": {
+    "id": "CVE-2022-24070",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24070",
+    "severity": "Medium"
+  },
+  "CVE-2022-42890": {
+    "id": "CVE-2022-42890",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
+    "severity": "High"
+  },
+  "CVE-2017-17446": {
+    "id": "CVE-2017-17446",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17446",
+    "severity": "Medium"
+  },
+  "CVE-2020-26298": {
+    "id": "CVE-2020-26298",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26298",
+    "severity": "Medium"
+  },
+  "CVE-2022-40320": {
+    "id": "CVE-2022-40320",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40320",
+    "severity": "High"
+  },
+  "CVE-2024-1298": {
+    "id": "CVE-2024-1298",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1298",
+    "severity": "Medium"
+  },
+  "CVE-2022-42004": {
+    "id": "CVE-2022-42004",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
+    "severity": "High"
+  },
+  "CVE-2024-27305": {
+    "id": "CVE-2024-27305",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27305",
+    "severity": "Medium"
+  },
+  "CVE-2023-23946": {
+    "id": "CVE-2023-23946",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23946",
+    "severity": "Medium"
+  },
+  "CVE-2023-33204": {
+    "id": "CVE-2023-33204",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33204",
+    "severity": "High"
+  },
+  "CVE-2022-21624": {
+    "id": "CVE-2022-21624",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21624",
+    "severity": "Low"
+  },
+  "CVE-2023-39742": {
+    "id": "CVE-2023-39742",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39742",
+    "severity": "Medium"
+  },
+  "CVE-2021-21704": {
+    "id": "CVE-2021-21704",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21704",
+    "severity": "Medium"
+  },
+  "CVE-2022-3643": {
+    "id": "CVE-2022-3643",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3643",
+    "severity": "Critical"
+  },
+  "CVE-2020-15999": {
+    "id": "CVE-2020-15999",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15999",
+    "severity": "High"
+  },
+  "CVE-2022-28356": {
+    "id": "CVE-2022-28356",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28356",
+    "severity": "High"
+  },
+  "CVE-2023-4921": {
+    "id": "CVE-2023-4921",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
+    "severity": "Medium"
+  },
+  "CVE-2020-15049": {
+    "id": "CVE-2020-15049",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15049",
+    "severity": "High"
+  },
+  "CVE-2022-3204": {
+    "id": "CVE-2022-3204",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3204",
+    "severity": "High"
+  },
+  "CVE-2021-20229": {
+    "id": "CVE-2021-20229",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229",
+    "severity": "Medium"
+  },
+  "CVE-2022-37434": {
+    "id": "CVE-2022-37434",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+    "severity": "Critical"
+  },
+  "CVE-2022-27223": {
+    "id": "CVE-2022-27223",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27223",
+    "severity": "Medium"
+  },
+  "CVE-2023-2828": {
+    "id": "CVE-2023-2828",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2828",
+    "severity": "High"
+  },
+  "CVE-2022-32221": {
+    "id": "CVE-2022-32221",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221",
+    "severity": "Medium"
+  },
+  "CVE-2023-24538": {
+    "id": "CVE-2023-24538",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
+    "severity": "High"
+  },
+  "CVE-2022-23634": {
+    "id": "CVE-2022-23634",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+    "severity": "Medium"
+  },
+  "CVE-2022-2845": {
+    "id": "CVE-2022-2845",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845",
+    "severity": "High"
+  },
+  "CVE-2021-4209": {
+    "id": "CVE-2021-4209",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4209",
+    "severity": "Medium"
+  },
+  "CVE-2023-2008": {
+    "id": "CVE-2023-2008",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2008",
+    "severity": "High"
+  },
+  "CVE-2022-23037": {
+    "id": "CVE-2022-23037",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23037",
+    "severity": "Medium"
+  },
+  "CVE-2023-6481": {
+    "id": "CVE-2023-6481",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481",
+    "severity": "High"
+  },
+  "CVE-2023-46316": {
+    "id": "CVE-2023-46316",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46316",
+    "severity": "Critical"
+  },
+  "CVE-2022-39956": {
+    "id": "CVE-2022-39956",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39956",
+    "severity": "Critical"
+  },
+  "CVE-2021-3565": {
+    "id": "CVE-2021-3565",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3565",
+    "severity": "Medium"
+  },
+  "CVE-2021-39537": {
+    "id": "CVE-2021-39537",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537",
+    "severity": "High"
+  },
+  "CVE-2020-18442": {
+    "id": "CVE-2020-18442",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18442",
+    "severity": "Medium"
+  },
+  "CVE-2023-46045": {
+    "id": "CVE-2023-46045",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46045",
+    "severity": "Low"
+  },
+  "CVE-2021-42097": {
+    "id": "CVE-2021-42097",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42097",
+    "severity": "Medium"
+  },
+  "CVE-2023-1786": {
+    "id": "CVE-2023-1786",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1786",
+    "severity": "Medium"
+  },
+  "CVE-2022-48303": {
+    "id": "CVE-2022-48303",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303",
+    "severity": "High"
+  },
+  "CVE-2021-4192": {
+    "id": "CVE-2021-4192",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4192",
+    "severity": "High"
+  },
+  "CVE-2023-3446": {
+    "id": "CVE-2023-3446",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
+    "severity": "Medium"
+  },
+  "CVE-2023-30861": {
+    "id": "CVE-2023-30861",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861",
+    "severity": "High"
+  },
+  "CVE-2021-36090": {
+    "id": "CVE-2021-36090",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36090",
+    "severity": "High"
+  },
+  "CVE-2020-27840": {
+    "id": "CVE-2020-27840",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27840",
+    "severity": "High"
+  },
+  "CVE-2022-39188": {
+    "id": "CVE-2022-39188",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188",
+    "severity": "Medium"
+  },
+  "CVE-2021-40330": {
+    "id": "CVE-2021-40330",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40330",
+    "severity": "High"
+  },
+  "CVE-2022-2255": {
+    "id": "CVE-2022-2255",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255",
+    "severity": "Medium"
+  },
+  "CVE-2020-11523": {
+    "id": "CVE-2020-11523",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11523",
+    "severity": "Medium"
+  },
+  "CVE-2024-3177": {
+    "id": "CVE-2024-3177",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+    "severity": "Low"
+  },
+  "CVE-2023-28642": {
+    "id": "CVE-2023-28642",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642",
+    "severity": "Medium"
+  },
+  "CVE-2019-0210": {
+    "id": "CVE-2019-0210",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0210",
+    "severity": "High"
+  },
+  "CVE-2022-2586": {
+    "id": "CVE-2022-2586",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2586",
+    "severity": "High"
+  },
+  "CVE-2021-20305": {
+    "id": "CVE-2021-20305",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20305",
+    "severity": "High"
+  },
+  "CVE-2022-4065": {
+    "id": "CVE-2022-4065",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4065",
+    "severity": "High"
+  },
+  "CVE-2021-31535": {
+    "id": "CVE-2021-31535",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31535",
+    "severity": "Critical"
+  },
+  "CVE-2024-35943": {
+    "id": "CVE-2024-35943",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943",
+    "severity": "Medium"
+  },
+  "CVE-2022-25255": {
+    "id": "CVE-2022-25255",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255",
+    "severity": "High"
+  },
+  "CVE-2023-2985": {
+    "id": "CVE-2023-2985",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985",
+    "severity": "Medium"
+  },
+  "CVE-2022-3650": {
+    "id": "CVE-2022-3650",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3650",
+    "severity": "Low"
+  },
+  "CVE-2022-4095": {
+    "id": "CVE-2022-4095",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4095",
+    "severity": "High"
+  },
+  "CVE-2021-3782": {
+    "id": "CVE-2021-3782",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3782",
+    "severity": "Medium"
+  },
+  "CVE-2022-43358": {
+    "id": "CVE-2022-43358",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43358",
+    "severity": "High"
+  },
+  "CVE-2024-35221": {
+    "id": "CVE-2024-35221",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35221",
+    "severity": "Medium"
+  },
+  "CVE-2023-0590": {
+    "id": "CVE-2023-0590",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0590",
+    "severity": "Medium"
+  },
+  "CVE-2021-4156": {
+    "id": "CVE-2021-4156",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4156",
+    "severity": "High"
+  },
+  "CVE-2023-2728": {
+    "id": "CVE-2023-2728",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2728",
+    "severity": "Medium"
+  },
+  "CVE-2020-17380": {
+    "id": "CVE-2020-17380",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17380",
+    "severity": "Medium"
+  },
+  "CVE-2022-33070": {
+    "id": "CVE-2022-33070",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33070",
+    "severity": "Medium"
+  },
+  "CVE-2021-33503": {
+    "id": "CVE-2021-33503",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33503",
+    "severity": "High"
+  },
+  "CVE-2024-26811": {
+    "id": "CVE-2024-26811",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811",
+    "severity": "High"
+  },
+  "CVE-2021-32028": {
+    "id": "CVE-2021-32028",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32028",
+    "severity": "Medium"
+  },
+  "CVE-2021-46784": {
+    "id": "CVE-2021-46784",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46784",
+    "severity": "High"
+  },
+  "CVE-2022-2639": {
+    "id": "CVE-2022-2639",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639",
+    "severity": "High"
+  },
+  "CVE-2023-34967": {
+    "id": "CVE-2023-34967",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34967",
+    "severity": "Medium"
+  },
+  "CVE-2022-21949": {
+    "id": "CVE-2022-21949",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21949",
+    "severity": "High"
+  },
+  "CVE-2022-3213": {
+    "id": "CVE-2022-3213",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3213",
+    "severity": "Medium"
+  },
+  "CVE-2023-47212": {
+    "id": "CVE-2023-47212",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47212",
+    "severity": "High"
+  },
+  "CVE-2024-2961": {
+    "id": "CVE-2024-2961",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
+    "severity": "High"
+  },
+  "CVE-2021-38185": {
+    "id": "CVE-2021-38185",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38185",
+    "severity": "High"
+  },
+  "CVE-2021-27923": {
+    "id": "CVE-2021-27923",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923",
+    "severity": "Medium"
+  },
+  "CVE-2021-47477": {
+    "id": "CVE-2021-47477",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47477",
+    "severity": "Medium"
+  },
+  "CVE-2013-4235": {
+    "id": "CVE-2013-4235",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
+    "severity": "Medium"
+  },
+  "CVE-2021-3781": {
+    "id": "CVE-2021-3781",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3781",
+    "severity": "Critical"
+  },
+  "CVE-2021-23343": {
+    "id": "CVE-2021-23343",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343",
+    "severity": "High"
+  },
+  "CVE-2020-25721": {
+    "id": "CVE-2020-25721",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25721",
+    "severity": "Medium"
+  },
+  "CVE-2021-28650": {
+    "id": "CVE-2021-28650",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28650",
+    "severity": "Medium"
+  },
+  "CVE-2023-32763": {
+    "id": "CVE-2023-32763",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763",
+    "severity": "High"
+  },
+  "CVE-2022-2509": {
+    "id": "CVE-2022-2509",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2509",
+    "severity": "High"
+  },
+  "CVE-2020-17437": {
+    "id": "CVE-2020-17437",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17437",
+    "severity": "High"
+  },
+  "CVE-2022-40674": {
+    "id": "CVE-2022-40674",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674",
+    "severity": "Critical"
+  },
+  "CVE-2020-8031": {
+    "id": "CVE-2020-8031",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8031",
+    "severity": "Medium"
+  },
+  "CVE-2023-46049": {
+    "id": "CVE-2023-46049",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46049",
+    "severity": "Low"
+  },
+  "CVE-2021-38604": {
+    "id": "CVE-2021-38604",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604",
+    "severity": "High"
+  },
+  "CVE-2023-36191": {
+    "id": "CVE-2023-36191",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36191",
+    "severity": "Medium"
+  },
+  "CVE-2023-43665": {
+    "id": "CVE-2023-43665",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43665",
+    "severity": "Medium"
+  },
+  "CVE-2021-30641": {
+    "id": "CVE-2021-30641",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30641",
+    "severity": "Medium"
+  },
+  "CVE-2021-20298": {
+    "id": "CVE-2021-20298",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20298",
+    "severity": "High"
+  },
+  "CVE-2023-32681": {
+    "id": "CVE-2023-32681",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681",
+    "severity": "Medium"
+  },
+  "CVE-2019-17531": {
+    "id": "CVE-2019-17531",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531",
+    "severity": "Critical"
+  },
+  "CVE-2023-34153": {
+    "id": "CVE-2023-34153",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34153",
+    "severity": "Medium"
+  },
+  "CVE-2023-40890": {
+    "id": "CVE-2023-40890",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40890",
+    "severity": "Critical"
+  },
+  "CVE-2023-20197": {
+    "id": "CVE-2023-20197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
+    "severity": "High"
+  },
+  "CVE-2021-41819": {
+    "id": "CVE-2021-41819",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41819",
+    "severity": "High"
+  },
+  "CVE-2016-1000104": {
+    "id": "CVE-2016-1000104",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000104",
+    "severity": "High"
+  },
+  "CVE-2024-24786": {
+    "id": "CVE-2024-24786",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786",
+    "severity": "High"
+  },
+  "CVE-2024-26641": {
+    "id": "CVE-2024-26641",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26641",
+    "severity": "Low"
+  },
+  "CVE-2021-23177": {
+    "id": "CVE-2021-23177",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23177",
+    "severity": "Medium"
+  },
+  "CVE-2021-44964": {
+    "id": "CVE-2021-44964",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44964",
+    "severity": "Medium"
+  },
+  "CVE-2021-33656": {
+    "id": "CVE-2021-33656",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33656",
+    "severity": "Medium"
+  },
+  "CVE-2021-2441": {
+    "id": "CVE-2021-2441",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2441",
+    "severity": "Medium"
+  },
+  "CVE-2022-22815": {
+    "id": "CVE-2022-22815",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22815",
+    "severity": "Critical"
+  },
+  "CVE-2022-2906": {
+    "id": "CVE-2022-2906",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2906",
+    "severity": "High"
+  },
+  "CVE-2019-13173": {
+    "id": "CVE-2019-13173",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13173",
+    "severity": "High"
+  },
+  "CVE-2022-0561": {
+    "id": "CVE-2022-0561",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0561",
+    "severity": "Medium"
+  },
+  "CVE-2023-48795": {
+    "id": "CVE-2023-48795",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+    "severity": "Medium"
+  },
+  "CVE-2022-27455": {
+    "id": "CVE-2022-27455",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27455",
+    "severity": "High"
+  },
+  "CVE-2021-23980": {
+    "id": "CVE-2021-23980",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23980",
+    "severity": "Medium"
+  },
+  "CVE-2010-3996": {
+    "id": "CVE-2010-3996",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3996",
+    "severity": "High"
+  },
+  "CVE-2023-4039": {
+    "id": "CVE-2023-4039",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
+    "severity": "Medium"
+  },
+  "CVE-2022-32743": {
+    "id": "CVE-2022-32743",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32743",
+    "severity": "Medium"
+  },
+  "CVE-2023-49994": {
+    "id": "CVE-2023-49994",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49994",
+    "severity": "Medium"
+  },
+  "CVE-2021-26690": {
+    "id": "CVE-2021-26690",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26690",
+    "severity": "High"
+  },
+  "CVE-2022-23471": {
+    "id": "CVE-2022-23471",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23471",
+    "severity": "Medium"
+  },
+  "CVE-2021-4048": {
+    "id": "CVE-2021-4048",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4048",
+    "severity": "Medium"
+  },
+  "CVE-2022-29170": {
+    "id": "CVE-2022-29170",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29170",
+    "severity": "High"
+  },
+  "CVE-2023-42755": {
+    "id": "CVE-2023-42755",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42755",
+    "severity": "Medium"
+  },
+  "CVE-2023-1281": {
+    "id": "CVE-2023-1281",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281",
+    "severity": "Medium"
+  },
+  "CVE-2022-31107": {
+    "id": "CVE-2022-31107",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31107",
+    "severity": "High"
+  },
+  "CVE-2021-29464": {
+    "id": "CVE-2021-29464",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29464",
+    "severity": "Medium"
+  },
+  "CVE-2019-19308": {
+    "id": "CVE-2019-19308",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19308",
+    "severity": "Medium"
+  },
+  "CVE-2023-35887": {
+    "id": "CVE-2023-35887",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887",
+    "severity": "Medium"
+  },
+  "CVE-2022-4744": {
+    "id": "CVE-2022-4744",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4744",
+    "severity": "Medium"
+  },
+  "CVE-2022-22824": {
+    "id": "CVE-2022-22824",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824",
+    "severity": "Critical"
+  },
+  "CVE-2019-20379": {
+    "id": "CVE-2019-20379",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20379",
+    "severity": "Medium"
+  },
+  "CVE-2019-11040": {
+    "id": "CVE-2019-11040",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11040",
+    "severity": "High"
+  },
+  "CVE-2020-14410": {
+    "id": "CVE-2020-14410",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14410",
+    "severity": "High"
+  },
+  "CVE-2021-46848": {
+    "id": "CVE-2021-46848",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848",
+    "severity": "Critical"
+  },
+  "CVE-2023-40551": {
+    "id": "CVE-2023-40551",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+    "severity": "High"
+  },
+  "CVE-2023-25690": {
+    "id": "CVE-2023-25690",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25690",
+    "severity": "Medium"
+  },
+  "CVE-2018-1313": {
+    "id": "CVE-2018-1313",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1313",
+    "severity": "Medium"
+  },
+  "CVE-2023-31484": {
+    "id": "CVE-2023-31484",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484",
+    "severity": "High"
+  },
+  "CVE-2023-45803": {
+    "id": "CVE-2023-45803",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
+    "severity": "Medium"
+  },
+  "CVE-2024-26898": {
+    "id": "CVE-2024-26898",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898",
+    "severity": "Medium"
+  },
+  "CVE-2023-29007": {
+    "id": "CVE-2023-29007",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29007",
+    "severity": "High"
+  },
+  "CVE-2021-37136": {
+    "id": "CVE-2021-37136",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136",
+    "severity": "High"
+  },
+  "CVE-2019-12295": {
+    "id": "CVE-2019-12295",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12295",
+    "severity": "High"
+  },
+  "CVE-2020-27779": {
+    "id": "CVE-2020-27779",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27779",
+    "severity": "High"
+  },
+  "CVE-2021-41098": {
+    "id": "CVE-2021-41098",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41098",
+    "severity": "High"
+  },
+  "CVE-2023-22794": {
+    "id": "CVE-2023-22794",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22794",
+    "severity": "High"
+  },
+  "CVE-2024-24814": {
+    "id": "CVE-2024-24814",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24814",
+    "severity": "High"
+  },
+  "CVE-2023-31047": {
+    "id": "CVE-2023-31047",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047",
+    "severity": "Critical"
+  },
+  "CVE-2022-0699": {
+    "id": "CVE-2022-0699",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0699",
+    "severity": "Medium"
+  },
+  "CVE-2023-52622": {
+    "id": "CVE-2023-52622",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622",
+    "severity": "Medium"
+  },
+  "CVE-2019-3881": {
+    "id": "CVE-2019-3881",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3881",
+    "severity": "High"
+  },
+  "CVE-2023-5678": {
+    "id": "CVE-2023-5678",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+    "severity": "Medium"
+  },
+  "CVE-2022-39176": {
+    "id": "CVE-2022-39176",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39176",
+    "severity": "Medium"
+  },
+  "CVE-2021-43521": {
+    "id": "CVE-2021-43521",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43521",
+    "severity": "High"
+  },
+  "CVE-2021-20299": {
+    "id": "CVE-2021-20299",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20299",
+    "severity": "High"
+  },
+  "CVE-2023-7008": {
+    "id": "CVE-2023-7008",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008",
+    "severity": "Medium"
+  },
+  "CVE-2021-41617": {
+    "id": "CVE-2021-41617",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41617",
+    "severity": "High"
+  },
+  "CVE-2020-6851": {
+    "id": "CVE-2020-6851",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6851",
+    "severity": "High"
+  },
+  "CVE-2021-33629": {
+    "id": "CVE-2021-33629",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33629",
+    "severity": "Low"
+  },
+  "CVE-2024-32462": {
+    "id": "CVE-2024-32462",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32462",
+    "severity": "High"
+  },
+  "CVE-2023-37328": {
+    "id": "CVE-2023-37328",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+    "severity": "Medium"
+  },
+  "CVE-2021-28165": {
+    "id": "CVE-2021-28165",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
+    "severity": "High"
+  },
+  "CVE-2024-21087": {
+    "id": "CVE-2024-21087",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21087",
+    "severity": "Medium"
+  },
+  "CVE-2022-21540": {
+    "id": "CVE-2022-21540",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21540",
+    "severity": "High"
+  },
+  "CVE-2022-40898": {
+    "id": "CVE-2022-40898",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40898",
+    "severity": "High"
+  },
+  "CVE-2018-16438": {
+    "id": "CVE-2018-16438",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16438",
+    "severity": "High"
+  },
+  "CVE-2021-46829": {
+    "id": "CVE-2021-46829",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46829",
+    "severity": "High"
+  },
+  "CVE-2021-22930": {
+    "id": "CVE-2021-22930",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22930",
+    "severity": "High"
+  },
+  "CVE-2022-3577": {
+    "id": "CVE-2022-3577",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3577",
+    "severity": "Medium"
+  },
+  "CVE-2022-1354": {
+    "id": "CVE-2022-1354",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1354",
+    "severity": "Medium"
+  },
+  "CVE-2016-9841": {
+    "id": "CVE-2016-9841",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841",
+    "severity": "Critical"
+  },
+  "CVE-2022-24806": {
+    "id": "CVE-2022-24806",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24806",
+    "severity": "Medium"
+  },
+  "CVE-2020-16117": {
+    "id": "CVE-2020-16117",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16117",
+    "severity": "Medium"
+  },
+  "CVE-2020-24372": {
+    "id": "CVE-2020-24372",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24372",
+    "severity": "High"
+  },
+  "CVE-2021-36740": {
+    "id": "CVE-2021-36740",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36740",
+    "severity": "Medium"
+  },
+  "CVE-2023-0416": {
+    "id": "CVE-2023-0416",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0416",
+    "severity": "High"
+  },
+  "CVE-2022-41859": {
+    "id": "CVE-2022-41859",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41859",
+    "severity": "High"
+  },
+  "CVE-2022-1962": {
+    "id": "CVE-2022-1962",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962",
+    "severity": "Medium"
+  },
+  "CVE-2023-25577": {
+    "id": "CVE-2023-25577",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25577",
+    "severity": "Low"
+  },
+  "CVE-2021-3520": {
+    "id": "CVE-2021-3520",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3520",
+    "severity": "Critical"
+  },
+  "CVE-2022-34481": {
+    "id": "CVE-2022-34481",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34481",
+    "severity": "High"
+  },
+  "CVE-2021-21347": {
+    "id": "CVE-2021-21347",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21347",
+    "severity": "Critical"
+  },
+  "CVE-2023-2004": {
+    "id": "CVE-2023-2004",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2004",
+    "severity": "Medium"
+  },
+  "CVE-2021-27803": {
+    "id": "CVE-2021-27803",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27803",
+    "severity": "High"
+  },
+  "CVE-2022-21673": {
+    "id": "CVE-2022-21673",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21673",
+    "severity": "Medium"
+  },
+  "CVE-2020-24512": {
+    "id": "CVE-2020-24512",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24512",
+    "severity": "Medium"
+  },
+  "CVE-2022-41953": {
+    "id": "CVE-2022-41953",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41953",
+    "severity": "High"
+  },
+  "CVE-2023-5217": {
+    "id": "CVE-2023-5217",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5217",
+    "severity": "High"
+  },
+  "CVE-2021-38114": {
+    "id": "CVE-2021-38114",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38114",
+    "severity": "Medium"
+  },
+  "CVE-2018-25032": {
+    "id": "CVE-2018-25032",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032",
+    "severity": "High"
+  },
+  "CVE-2021-2007": {
+    "id": "CVE-2021-2007",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2007",
+    "severity": "Medium"
+  },
+  "CVE-2022-36765": {
+    "id": "CVE-2022-36765",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36765",
+    "severity": "High"
+  },
+  "CVE-2023-24540": {
+    "id": "CVE-2023-24540",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24540",
+    "severity": "High"
+  },
+  "CVE-2022-23303": {
+    "id": "CVE-2022-23303",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23303",
+    "severity": "Critical"
+  },
+  "CVE-2023-4863": {
+    "id": "CVE-2023-4863",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+    "severity": "High"
+  },
+  "CVE-2023-39368": {
+    "id": "CVE-2023-39368",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39368",
+    "severity": "Medium"
+  },
+  "CVE-2022-47630": {
+    "id": "CVE-2022-47630",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47630",
+    "severity": "High"
+  },
+  "CVE-2024-4418": {
+    "id": "CVE-2024-4418",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4418",
+    "severity": "Medium"
+  },
+  "CVE-2021-32563": {
+    "id": "CVE-2021-32563",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32563",
+    "severity": "Critical"
+  },
+  "CVE-2022-21618": {
+    "id": "CVE-2022-21618",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21618",
+    "severity": "Medium"
+  },
+  "CVE-2022-24407": {
+    "id": "CVE-2022-24407",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24407",
+    "severity": "Critical"
+  },
+  "CVE-2023-25330": {
+    "id": "CVE-2023-25330",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25330",
+    "severity": "Critical"
+  },
+  "CVE-2023-3428": {
+    "id": "CVE-2023-3428",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428",
+    "severity": "Medium"
+  },
+  "CVE-2022-21426": {
+    "id": "CVE-2022-21426",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21426",
+    "severity": "Medium"
+  },
+  "CVE-2022-31163": {
+    "id": "CVE-2022-31163",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31163",
+    "severity": "High"
+  },
+  "CVE-2023-30362": {
+    "id": "CVE-2023-30362",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30362",
+    "severity": "High"
+  },
+  "CVE-2020-25651": {
+    "id": "CVE-2020-25651",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25651",
+    "severity": "Medium"
+  },
+  "CVE-2021-43860": {
+    "id": "CVE-2021-43860",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43860",
+    "severity": "High"
+  },
+  "CVE-2022-23773": {
+    "id": "CVE-2022-23773",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23773",
+    "severity": "High"
+  },
+  "CVE-2022-28893": {
+    "id": "CVE-2022-28893",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28893",
+    "severity": "High"
+  },
+  "CVE-2021-25122": {
+    "id": "CVE-2021-25122",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25122",
+    "severity": "High"
+  },
+  "CVE-2019-15892": {
+    "id": "CVE-2019-15892",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15892",
+    "severity": "High"
+  },
+  "CVE-2021-3596": {
+    "id": "CVE-2021-3596",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3596",
+    "severity": "Medium"
+  },
+  "CVE-2021-3670": {
+    "id": "CVE-2021-3670",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3670",
+    "severity": "Medium"
+  },
+  "CVE-2021-41092": {
+    "id": "CVE-2021-41092",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41092",
+    "severity": "Medium"
+  },
+  "CVE-2022-0213": {
+    "id": "CVE-2022-0213",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0213",
+    "severity": "High"
+  },
+  "CVE-2023-31122": {
+    "id": "CVE-2023-31122",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31122",
+    "severity": "Critical"
+  },
+  "CVE-2023-25567": {
+    "id": "CVE-2023-25567",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25567",
+    "severity": "Medium"
+  },
+  "CVE-2024-22365": {
+    "id": "CVE-2024-22365",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365",
+    "severity": "Medium"
+  },
+  "CVE-2022-37026": {
+    "id": "CVE-2022-37026",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37026",
+    "severity": "Critical"
+  },
+  "CVE-2023-23931": {
+    "id": "CVE-2023-23931",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
+    "severity": "Medium"
+  },
+  "CVE-2023-39804": {
+    "id": "CVE-2023-39804",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804",
+    "severity": "Low"
+  },
+  "CVE-2021-28211": {
+    "id": "CVE-2021-28211",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28211",
+    "severity": "Medium"
+  },
+  "CVE-2022-2995": {
+    "id": "CVE-2022-2995",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2995",
+    "severity": "High"
+  },
+  "CVE-2021-47229": {
+    "id": "CVE-2021-47229",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47229",
+    "severity": "Medium"
+  },
+  "CVE-2023-4056": {
+    "id": "CVE-2023-4056",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4056",
+    "severity": "High"
+  },
+  "CVE-2023-52604": {
+    "id": "CVE-2023-52604",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604",
+    "severity": "High"
+  },
+  "CVE-2021-3672": {
+    "id": "CVE-2021-3672",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672",
+    "severity": "Medium"
+  },
+  "CVE-2024-3652": {
+    "id": "CVE-2024-3652",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3652",
+    "severity": "Low"
+  },
+  "CVE-2020-36430": {
+    "id": "CVE-2020-36430",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36430",
+    "severity": "High"
+  },
+  "CVE-2023-43804": {
+    "id": "CVE-2023-43804",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804",
+    "severity": "Medium"
+  },
+  "CVE-2023-28840": {
+    "id": "CVE-2023-28840",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28840",
+    "severity": "Medium"
+  },
+  "CVE-2019-12521": {
+    "id": "CVE-2019-12521",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12521",
+    "severity": "Medium"
+  },
+  "CVE-2021-3905": {
+    "id": "CVE-2021-3905",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3905",
+    "severity": "High"
+  },
+  "CVE-2022-22827": {
+    "id": "CVE-2022-22827",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827",
+    "severity": "High"
+  },
+  "CVE-2021-42260": {
+    "id": "CVE-2021-42260",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42260",
+    "severity": "High"
+  },
+  "CVE-2024-38607": {
+    "id": "CVE-2024-38607",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38607",
+    "severity": "Medium"
+  },
+  "CVE-2021-47355": {
+    "id": "CVE-2021-47355",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47355",
+    "severity": "Medium"
+  },
+  "CVE-2020-36386": {
+    "id": "CVE-2020-36386",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36386",
+    "severity": "Medium"
+  },
+  "CVE-2023-40225": {
+    "id": "CVE-2023-40225",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40225",
+    "severity": "High"
+  },
+  "CVE-2023-43040": {
+    "id": "CVE-2023-43040",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43040",
+    "severity": "Low"
+  },
+  "CVE-2022-45199": {
+    "id": "CVE-2022-45199",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45199",
+    "severity": "High"
+  },
+  "CVE-2019-13574": {
+    "id": "CVE-2019-13574",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13574",
+    "severity": "High"
+  },
+  "CVE-2023-0465": {
+    "id": "CVE-2023-0465",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
+    "severity": "High"
+  },
+  "CVE-2021-36086": {
+    "id": "CVE-2021-36086",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36086",
+    "severity": "Low"
+  },
+  "CVE-2022-1705": {
+    "id": "CVE-2022-1705",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705",
+    "severity": "Medium"
+  },
+  "CVE-2022-28330": {
+    "id": "CVE-2022-28330",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28330",
+    "severity": "Medium"
+  },
+  "CVE-2022-23181": {
+    "id": "CVE-2022-23181",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23181",
+    "severity": "High"
+  },
+  "CVE-2024-38636": {
+    "id": "CVE-2024-38636",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38636",
+    "severity": "High"
+  },
+  "CVE-2022-2309": {
+    "id": "CVE-2022-2309",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2309",
+    "severity": "High"
+  },
+  "CVE-2024-3447": {
+    "id": "CVE-2024-3447",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+    "severity": "Medium"
+  },
+  "CVE-2021-3570": {
+    "id": "CVE-2021-3570",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3570",
+    "severity": "High"
+  },
+  "CVE-2020-10001": {
+    "id": "CVE-2020-10001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10001",
+    "severity": "Medium"
+  },
+  "CVE-2020-28491": {
+    "id": "CVE-2020-28491",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491",
+    "severity": "High"
+  },
+  "CVE-2019-12519": {
+    "id": "CVE-2019-12519",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12519",
+    "severity": "Critical"
+  },
+  "CVE-2023-0615": {
+    "id": "CVE-2023-0615",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0615",
+    "severity": "Medium"
+  },
+  "CVE-2019-17195": {
+    "id": "CVE-2019-17195",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17195",
+    "severity": "Critical"
+  },
+  "CVE-2024-25082": {
+    "id": "CVE-2024-25082",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25082",
+    "severity": "Medium"
+  },
+  "CVE-2022-21713": {
+    "id": "CVE-2022-21713",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21713",
+    "severity": "High"
+  },
+  "CVE-2023-39193": {
+    "id": "CVE-2023-39193",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193",
+    "severity": "Medium"
+  },
+  "CVE-2021-46823": {
+    "id": "CVE-2021-46823",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46823",
+    "severity": "Medium"
+  },
+  "CVE-2020-0198": {
+    "id": "CVE-2020-0198",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0198",
+    "severity": "High"
+  },
+  "CVE-2024-0209": {
+    "id": "CVE-2024-0209",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0209",
+    "severity": "High"
+  },
+  "CVE-2022-24963": {
+    "id": "CVE-2022-24963",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963",
+    "severity": "Critical"
+  },
+  "CVE-2023-1175": {
+    "id": "CVE-2023-1175",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1175",
+    "severity": "High"
+  },
+  "CVE-2023-5632": {
+    "id": "CVE-2023-5632",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5632",
+    "severity": "High"
+  },
+  "CVE-2021-43082": {
+    "id": "CVE-2021-43082",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43082",
+    "severity": "High"
+  },
+  "CVE-2021-47547": {
+    "id": "CVE-2021-47547",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47547",
+    "severity": "Medium"
+  },
+  "CVE-2022-34917": {
+    "id": "CVE-2022-34917",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34917",
+    "severity": "High"
+  },
+  "CVE-2023-0466": {
+    "id": "CVE-2023-0466",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466",
+    "severity": "High"
+  },
+  "CVE-2022-40899": {
+    "id": "CVE-2022-40899",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40899",
+    "severity": "High"
+  },
+  "CVE-2021-3839": {
+    "id": "CVE-2021-3839",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3839",
+    "severity": "Medium"
+  },
+  "CVE-2020-35653": {
+    "id": "CVE-2020-35653",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35653",
+    "severity": "High"
+  },
+  "CVE-2024-5742": {
+    "id": "CVE-2024-5742",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5742",
+    "severity": "Medium"
+  },
+  "CVE-2021-33633": {
+    "id": "CVE-2021-33633",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33633",
+    "severity": "High"
+  },
+  "CVE-2021-3588": {
+    "id": "CVE-2021-3588",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3588",
+    "severity": "Low"
+  },
+  "CVE-2022-42898": {
+    "id": "CVE-2022-42898",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42898",
+    "severity": "Medium"
+  },
+  "CVE-2023-6531": {
+    "id": "CVE-2023-6531",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531",
+    "severity": "High"
+  },
+  "CVE-2022-26981": {
+    "id": "CVE-2022-26981",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26981",
+    "severity": "High"
+  },
+  "CVE-2022-47011": {
+    "id": "CVE-2022-47011",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011",
+    "severity": "High"
+  },
+  "CVE-2022-0934": {
+    "id": "CVE-2022-0934",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0934",
+    "severity": "Medium"
+  },
+  "CVE-2021-41973": {
+    "id": "CVE-2021-41973",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41973",
+    "severity": "Medium"
+  },
+  "CVE-2024-26696": {
+    "id": "CVE-2024-26696",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+    "severity": "High"
+  },
+  "CVE-2022-42916": {
+    "id": "CVE-2022-42916",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42916",
+    "severity": "High"
+  },
+  "CVE-2021-43396": {
+    "id": "CVE-2021-43396",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43396",
+    "severity": "High"
+  },
+  "CVE-2022-48174": {
+    "id": "CVE-2022-48174",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174",
+    "severity": "Critical"
+  },
+  "CVE-2023-52795": {
+    "id": "CVE-2023-52795",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52795",
+    "severity": "Medium"
+  },
+  "CVE-2024-20696": {
+    "id": "CVE-2024-20696",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20696",
+    "severity": "High"
+  },
+  "CVE-2019-18389": {
+    "id": "CVE-2019-18389",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18389",
+    "severity": "High"
+  },
+  "CVE-2021-3595": {
+    "id": "CVE-2021-3595",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3595",
+    "severity": "Low"
+  },
+  "CVE-2020-36773": {
+    "id": "CVE-2020-36773",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36773",
+    "severity": "Critical"
+  },
+  "CVE-2020-15166": {
+    "id": "CVE-2020-15166",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15166",
+    "severity": "High"
+  },
+  "CVE-2020-8908": {
+    "id": "CVE-2020-8908",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908",
+    "severity": "Low"
+  },
+  "CVE-2020-12321": {
+    "id": "CVE-2020-12321",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12321",
+    "severity": "High"
+  },
+  "CVE-2022-48340": {
+    "id": "CVE-2022-48340",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340",
+    "severity": "High"
+  },
+  "CVE-2022-3560": {
+    "id": "CVE-2022-3560",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3560",
+    "severity": "Medium"
+  },
+  "CVE-2022-29804": {
+    "id": "CVE-2022-29804",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29804",
+    "severity": "Medium"
+  },
+  "CVE-2024-24897": {
+    "id": "CVE-2024-24897",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
+    "severity": "High"
+  },
+  "CVE-2023-39978": {
+    "id": "CVE-2023-39978",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39978",
+    "severity": "High"
+  },
+  "CVE-2024-27282": {
+    "id": "CVE-2024-27282",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+    "severity": "Low"
+  },
+  "CVE-2021-39251": {
+    "id": "CVE-2021-39251",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39251",
+    "severity": "High"
+  },
+  "CVE-2023-35824": {
+    "id": "CVE-2023-35824",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824",
+    "severity": "High"
+  },
+  "CVE-2021-43975": {
+    "id": "CVE-2021-43975",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43975",
+    "severity": "High"
+  },
+  "CVE-2022-21499": {
+    "id": "CVE-2022-21499",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21499",
+    "severity": "High"
+  },
+  "CVE-2022-25168": {
+    "id": "CVE-2022-25168",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168",
+    "severity": "Critical"
+  },
+  "CVE-2021-22876": {
+    "id": "CVE-2021-22876",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876",
+    "severity": "Low"
+  },
+  "CVE-2020-26143": {
+    "id": "CVE-2020-26143",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26143",
+    "severity": "Medium"
+  },
+  "CVE-2023-44487": {
+    "id": "CVE-2023-44487",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+    "severity": "High"
+  },
+  "CVE-2015-20107": {
+    "id": "CVE-2015-20107",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107",
+    "severity": "Critical"
+  },
+  "CVE-2022-42328": {
+    "id": "CVE-2022-42328",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42328",
+    "severity": "High"
+  },
+  "CVE-2024-29156": {
+    "id": "CVE-2024-29156",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29156",
+    "severity": "High"
+  },
+  "CVE-2024-28757": {
+    "id": "CVE-2024-28757",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28757",
+    "severity": "Medium"
+  },
+  "CVE-2022-36087": {
+    "id": "CVE-2022-36087",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36087",
+    "severity": "Medium"
+  },
+  "CVE-2022-1652": {
+    "id": "CVE-2022-1652",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1652",
+    "severity": "Medium"
+  },
+  "CVE-2024-38662": {
+    "id": "CVE-2024-38662",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662",
+    "severity": "Medium"
+  },
+  "CVE-2023-1801": {
+    "id": "CVE-2023-1801",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1801",
+    "severity": "Medium"
+  },
+  "CVE-2022-3172": {
+    "id": "CVE-2022-3172",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3172",
+    "severity": "Medium"
+  },
+  "CVE-2021-3177": {
+    "id": "CVE-2021-3177",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177",
+    "severity": "Critical"
+  },
+  "CVE-2020-11864": {
+    "id": "CVE-2020-11864",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11864",
+    "severity": "Medium"
+  },
+  "CVE-2020-14394": {
+    "id": "CVE-2020-14394",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14394",
+    "severity": "Low"
+  },
+  "CVE-2023-3389": {
+    "id": "CVE-2023-3389",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389",
+    "severity": "High"
+  },
+  "CVE-2021-25215": {
+    "id": "CVE-2021-25215",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25215",
+    "severity": "Medium"
+  },
+  "CVE-2019-7548": {
+    "id": "CVE-2019-7548",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7548",
+    "severity": "Medium"
+  },
+  "CVE-2024-38553": {
+    "id": "CVE-2024-38553",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553",
+    "severity": "High"
+  },
+  "CVE-2023-42669": {
+    "id": "CVE-2023-42669",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42669",
+    "severity": "Medium"
+  },
+  "CVE-2023-34410": {
+    "id": "CVE-2023-34410",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410",
+    "severity": "Medium"
+  },
+  "CVE-2021-28169": {
+    "id": "CVE-2021-28169",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169",
+    "severity": "Medium"
+  },
+  "CVE-2023-45664": {
+    "id": "CVE-2023-45664",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45664",
+    "severity": "High"
+  },
+  "CVE-2022-0891": {
+    "id": "CVE-2022-0891",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0891",
+    "severity": "Medium"
+  },
+  "CVE-2021-28831": {
+    "id": "CVE-2021-28831",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831",
+    "severity": "High"
+  },
+  "CVE-2023-35829": {
+    "id": "CVE-2023-35829",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35829",
+    "severity": "High"
+  },
+  "CVE-2024-28882": {
+    "id": "CVE-2024-28882",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28882",
+    "severity": "Medium"
+  },
+  "CVE-2021-39275": {
+    "id": "CVE-2021-39275",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39275",
+    "severity": "High"
+  },
+  "CVE-2020-10719": {
+    "id": "CVE-2020-10719",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10719",
+    "severity": "Medium"
+  },
+  "CVE-2014-0158": {
+    "id": "CVE-2014-0158",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0158",
+    "severity": "High"
+  },
+  "CVE-2020-27769": {
+    "id": "CVE-2020-27769",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27769",
+    "severity": "High"
+  },
+  "CVE-2021-20190": {
+    "id": "CVE-2021-20190",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190",
+    "severity": "High"
+  },
+  "CVE-2023-28756": {
+    "id": "CVE-2023-28756",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28756",
+    "severity": "Medium"
+  },
+  "CVE-2021-3623": {
+    "id": "CVE-2021-3623",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3623",
+    "severity": "Medium"
+  },
+  "CVE-2022-31030": {
+    "id": "CVE-2022-31030",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31030",
+    "severity": "Medium"
+  },
+  "CVE-2021-47538": {
+    "id": "CVE-2021-47538",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47538",
+    "severity": "Medium"
+  },
+  "CVE-2023-52890": {
+    "id": "CVE-2023-52890",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52890",
+    "severity": "Medium"
+  },
+  "CVE-2022-46285": {
+    "id": "CVE-2022-46285",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46285",
+    "severity": "High"
+  },
+  "CVE-2023-34241": {
+    "id": "CVE-2023-34241",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34241",
+    "severity": "Medium"
+  },
+  "CVE-2021-20227": {
+    "id": "CVE-2021-20227",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20227",
+    "severity": "Medium"
+  },
+  "CVE-2024-39331": {
+    "id": "CVE-2024-39331",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39331",
+    "severity": "High"
+  },
+  "CVE-2022-44638": {
+    "id": "CVE-2022-44638",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44638",
+    "severity": "High"
+  },
+  "CVE-2023-6121": {
+    "id": "CVE-2023-6121",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121",
+    "severity": "High"
+  },
+  "CVE-2024-34459": {
+    "id": "CVE-2024-34459",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459",
+    "severity": "Low"
+  },
+  "CVE-2023-22115": {
+    "id": "CVE-2023-22115",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22115",
+    "severity": "Medium"
+  },
+  "CVE-2020-36242": {
+    "id": "CVE-2020-36242",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36242",
+    "severity": "Critical"
+  },
+  "CVE-2021-4069": {
+    "id": "CVE-2021-4069",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4069",
+    "severity": "High"
+  },
+  "CVE-2020-16121": {
+    "id": "CVE-2020-16121",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16121",
+    "severity": "Low"
+  },
+  "CVE-2021-46312": {
+    "id": "CVE-2021-46312",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46312",
+    "severity": "Medium"
+  },
+  "CVE-2021-26937": {
+    "id": "CVE-2021-26937",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26937",
+    "severity": "Critical"
+  },
+  "CVE-2022-1270": {
+    "id": "CVE-2022-1270",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1270",
+    "severity": "High"
+  },
+  "CVE-2020-1753": {
+    "id": "CVE-2020-1753",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753",
+    "severity": "Low"
+  },
+  "CVE-2023-43114": {
+    "id": "CVE-2023-43114",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114",
+    "severity": "High"
+  },
+  "CVE-2021-26291": {
+    "id": "CVE-2021-26291",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291",
+    "severity": "Critical"
+  },
+  "CVE-2021-42782": {
+    "id": "CVE-2021-42782",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42782",
+    "severity": "Medium"
+  },
+  "CVE-2021-32292": {
+    "id": "CVE-2021-32292",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32292",
+    "severity": "Critical"
+  },
+  "CVE-2016-10198": {
+    "id": "CVE-2016-10198",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10198",
+    "severity": "Medium"
+  },
+  "CVE-2021-40346": {
+    "id": "CVE-2021-40346",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40346",
+    "severity": "High"
+  },
+  "CVE-2023-51698": {
+    "id": "CVE-2023-51698",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
+    "severity": "High"
+  },
+  "CVE-2021-4083": {
+    "id": "CVE-2021-4083",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4083",
+    "severity": "High"
+  },
+  "CVE-2021-3903": {
+    "id": "CVE-2021-3903",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3903",
+    "severity": "High"
+  },
+  "CVE-2024-32487": {
+    "id": "CVE-2024-32487",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487",
+    "severity": "Medium"
+  },
+  "CVE-2019-10174": {
+    "id": "CVE-2019-10174",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174",
+    "severity": "High"
+  },
+  "CVE-2020-29260": {
+    "id": "CVE-2020-29260",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29260",
+    "severity": "High"
+  },
+  "CVE-2024-36387": {
+    "id": "CVE-2024-36387",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36387",
+    "severity": "Low"
+  },
+  "CVE-2023-1017": {
+    "id": "CVE-2023-1017",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1017",
+    "severity": "Medium"
+  },
+  "CVE-2024-39470": {
+    "id": "CVE-2024-39470",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39470",
+    "severity": "Medium"
+  },
+  "CVE-2020-36185": {
+    "id": "CVE-2020-36185",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36185",
+    "severity": "High"
+  },
+  "CVE-2021-3521": {
+    "id": "CVE-2021-3521",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3521",
+    "severity": "Low"
+  },
+  "CVE-2021-4122": {
+    "id": "CVE-2021-4122",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4122",
+    "severity": "Medium"
+  },
+  "CVE-2021-20223": {
+    "id": "CVE-2021-20223",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20223",
+    "severity": "Critical"
+  },
+  "CVE-2021-25317": {
+    "id": "CVE-2021-25317",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25317",
+    "severity": "Low"
+  },
+  "CVE-2014-9640": {
+    "id": "CVE-2014-9640",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9640",
+    "severity": "Medium"
+  },
+  "CVE-2021-43400": {
+    "id": "CVE-2021-43400",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43400",
+    "severity": "Critical"
+  },
+  "CVE-2021-21703": {
+    "id": "CVE-2021-21703",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21703",
+    "severity": "High"
+  },
+  "CVE-2023-4132": {
+    "id": "CVE-2023-4132",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4132",
+    "severity": "Medium"
+  },
+  "CVE-2024-1151": {
+    "id": "CVE-2024-1151",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151",
+    "severity": "Medium"
+  },
+  "CVE-2022-4304": {
+    "id": "CVE-2022-4304",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304",
+    "severity": "Medium"
+  },
+  "CVE-2023-45235": {
+    "id": "CVE-2023-45235",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+    "severity": "High"
+  },
+  "CVE-2006-20001": {
+    "id": "CVE-2006-20001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-20001",
+    "severity": "Critical"
+  },
+  "CVE-2024-36946": {
+    "id": "CVE-2024-36946",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36946",
+    "severity": "None"
+  },
+  "CVE-2022-2320": {
+    "id": "CVE-2022-2320",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
+    "severity": "High"
+  },
+  "CVE-2022-23645": {
+    "id": "CVE-2022-23645",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23645",
+    "severity": "Medium"
+  },
+  "CVE-2022-2068": {
+    "id": "CVE-2022-2068",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068",
+    "severity": "Critical"
+  },
+  "CVE-2021-33574": {
+    "id": "CVE-2021-33574",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33574",
+    "severity": "Critical"
+  },
+  "CVE-2020-8625": {
+    "id": "CVE-2020-8625",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8625",
+    "severity": "High"
+  },
+  "CVE-2020-25097": {
+    "id": "CVE-2020-25097",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25097",
+    "severity": "High"
+  },
+  "CVE-2023-28204": {
+    "id": "CVE-2023-28204",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28204",
+    "severity": "Medium"
+  },
+  "CVE-2023-3618": {
+    "id": "CVE-2023-3618",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3618",
+    "severity": "Medium"
+  },
+  "CVE-2020-8277": {
+    "id": "CVE-2020-8277",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277",
+    "severity": "High"
+  },
+  "CVE-2023-2283": {
+    "id": "CVE-2023-2283",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2283",
+    "severity": "Medium"
+  },
+  "CVE-2021-39242": {
+    "id": "CVE-2021-39242",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39242",
+    "severity": "High"
+  },
+  "CVE-2022-28738": {
+    "id": "CVE-2022-28738",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28738",
+    "severity": "Medium"
+  },
+  "CVE-2020-36241": {
+    "id": "CVE-2020-36241",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36241",
+    "severity": "Medium"
+  },
+  "CVE-2022-41715": {
+    "id": "CVE-2022-41715",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
+    "severity": "Medium"
+  },
+  "CVE-2020-7598": {
+    "id": "CVE-2020-7598",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598",
+    "severity": "Medium"
+  },
+  "CVE-2020-1971": {
+    "id": "CVE-2020-1971",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971",
+    "severity": "Medium"
+  },
+  "CVE-2022-27337": {
+    "id": "CVE-2022-27337",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27337",
+    "severity": "Medium"
+  },
+  "CVE-2020-28896": {
+    "id": "CVE-2020-28896",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28896",
+    "severity": "Medium"
+  },
+  "CVE-2021-4217": {
+    "id": "CVE-2021-4217",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217",
+    "severity": "Medium"
+  },
+  "CVE-2021-47208": {
+    "id": "CVE-2021-47208",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47208",
+    "severity": "High"
+  },
+  "CVE-2023-28321": {
+    "id": "CVE-2023-28321",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28321",
+    "severity": "Medium"
+  },
+  "CVE-2023-24998": {
+    "id": "CVE-2023-24998",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
+    "severity": "High"
+  },
+  "CVE-2021-3872": {
+    "id": "CVE-2021-3872",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3872",
+    "severity": "Medium"
+  },
+  "CVE-2022-1771": {
+    "id": "CVE-2022-1771",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1771",
+    "severity": "High"
+  },
+  "CVE-2022-40284": {
+    "id": "CVE-2022-40284",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40284",
+    "severity": "High"
+  },
+  "CVE-2023-29532": {
+    "id": "CVE-2023-29532",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29532",
+    "severity": "High"
+  },
+  "CVE-2023-2513": {
+    "id": "CVE-2023-2513",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2513",
+    "severity": "High"
+  },
+  "CVE-2020-15890": {
+    "id": "CVE-2020-15890",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15890",
+    "severity": "High"
+  },
+  "CVE-2020-27845": {
+    "id": "CVE-2020-27845",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27845",
+    "severity": "High"
+  },
+  "CVE-2021-2042": {
+    "id": "CVE-2021-2042",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2042",
+    "severity": "Medium"
+  },
+  "CVE-2022-31629": {
+    "id": "CVE-2022-31629",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31629",
+    "severity": "Medium"
+  },
+  "CVE-2021-43818": {
+    "id": "CVE-2021-43818",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43818",
+    "severity": "High"
+  },
+  "CVE-2023-45539": {
+    "id": "CVE-2023-45539",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539",
+    "severity": "High"
+  },
+  "CVE-2020-25710": {
+    "id": "CVE-2020-25710",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25710",
+    "severity": "High"
+  },
+  "CVE-2019-10219": {
+    "id": "CVE-2019-10219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10219",
+    "severity": "Medium"
+  },
+  "CVE-2020-13959": {
+    "id": "CVE-2020-13959",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13959",
+    "severity": "Medium"
+  },
+  "CVE-2020-18032": {
+    "id": "CVE-2020-18032",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18032",
+    "severity": "Critical"
+  },
+  "CVE-2021-23222": {
+    "id": "CVE-2021-23222",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23222",
+    "severity": "High"
+  },
+  "CVE-2020-35538": {
+    "id": "CVE-2020-35538",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35538",
+    "severity": "Medium"
+  },
+  "CVE-2024-24806": {
+    "id": "CVE-2024-24806",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24806",
+    "severity": "Critical"
+  },
+  "CVE-2024-35235": {
+    "id": "CVE-2024-35235",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35235",
+    "severity": "Medium"
+  },
+  "CVE-2023-52138": {
+    "id": "CVE-2023-52138",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52138",
+    "severity": "Critical"
+  },
+  "CVE-2021-43809": {
+    "id": "CVE-2021-43809",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43809",
+    "severity": "High"
+  },
+  "CVE-2021-28210": {
+    "id": "CVE-2021-28210",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28210",
+    "severity": "High"
+  },
+  "CVE-2024-26144": {
+    "id": "CVE-2024-26144",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26144",
+    "severity": "Medium"
+  },
+  "CVE-2023-33933": {
+    "id": "CVE-2023-33933",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33933",
+    "severity": "High"
+  },
+  "CVE-2019-25058": {
+    "id": "CVE-2019-25058",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25058",
+    "severity": "High"
+  },
+  "CVE-2023-49286": {
+    "id": "CVE-2023-49286",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49286",
+    "severity": "High"
+  },
+  "CVE-2023-5535": {
+    "id": "CVE-2023-5535",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5535",
+    "severity": "High"
+  },
+  "CVE-2021-47210": {
+    "id": "CVE-2021-47210",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47210",
+    "severity": "Medium"
+  },
+  "CVE-2019-7164": {
+    "id": "CVE-2019-7164",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7164",
+    "severity": "Critical"
+  },
+  "CVE-2021-38115": {
+    "id": "CVE-2021-38115",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38115",
+    "severity": "Medium"
+  },
+  "CVE-2022-47939": {
+    "id": "CVE-2022-47939",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47939",
+    "severity": "Medium"
+  },
+  "CVE-2022-42919": {
+    "id": "CVE-2022-42919",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919",
+    "severity": "High"
+  },
+  "CVE-2022-2153": {
+    "id": "CVE-2022-2153",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2153",
+    "severity": "Low"
+  },
+  "CVE-2020-28935": {
+    "id": "CVE-2020-28935",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28935",
+    "severity": "Medium"
+  },
+  "CVE-2024-27351": {
+    "id": "CVE-2024-27351",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27351",
+    "severity": "High"
+  },
+  "CVE-2022-0924": {
+    "id": "CVE-2022-0924",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0924",
+    "severity": "Medium"
+  },
+  "CVE-2024-31083": {
+    "id": "CVE-2024-31083",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31083",
+    "severity": "High"
+  },
+  "CVE-2020-27783": {
+    "id": "CVE-2020-27783",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27783",
+    "severity": "Medium"
+  },
+  "CVE-2021-21300": {
+    "id": "CVE-2021-21300",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21300",
+    "severity": "High"
+  },
+  "CVE-2022-28391": {
+    "id": "CVE-2022-28391",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391",
+    "severity": "Critical"
+  },
+  "CVE-2022-41678": {
+    "id": "CVE-2022-41678",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41678",
+    "severity": "High"
+  },
+  "CVE-2020-21679": {
+    "id": "CVE-2020-21679",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21679",
+    "severity": "Medium"
+  },
+  "CVE-2022-41850": {
+    "id": "CVE-2022-41850",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41850",
+    "severity": "High"
+  },
+  "CVE-2022-41881": {
+    "id": "CVE-2022-41881",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+    "severity": "High"
+  },
+  "CVE-2021-47549": {
+    "id": "CVE-2021-47549",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47549",
+    "severity": "Medium"
+  },
+  "CVE-2023-46728": {
+    "id": "CVE-2023-46728",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46728",
+    "severity": "High"
+  },
+  "CVE-2023-39128": {
+    "id": "CVE-2023-39128",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39128",
+    "severity": "Medium"
+  },
+  "CVE-2021-23383": {
+    "id": "CVE-2021-23383",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383",
+    "severity": "Critical"
+  },
+  "CVE-2021-39360": {
+    "id": "CVE-2021-39360",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39360",
+    "severity": "Medium"
+  },
+  "CVE-2020-24240": {
+    "id": "CVE-2020-24240",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24240",
+    "severity": "Medium"
+  },
+  "CVE-2023-6228": {
+    "id": "CVE-2023-6228",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6228",
+    "severity": "Low"
+  },
+  "CVE-2020-15673": {
+    "id": "CVE-2020-15673",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15673",
+    "severity": "High"
+  },
+  "CVE-2022-45062": {
+    "id": "CVE-2022-45062",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45062",
+    "severity": "Critical"
+  },
+  "CVE-2022-27781": {
+    "id": "CVE-2022-27781",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781",
+    "severity": "Medium"
+  },
+  "CVE-2022-23302": {
+    "id": "CVE-2022-23302",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302",
+    "severity": "High"
+  },
+  "CVE-2020-28463": {
+    "id": "CVE-2020-28463",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28463",
+    "severity": "Medium"
+  },
+  "CVE-2023-2977": {
+    "id": "CVE-2023-2977",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2977",
+    "severity": "High"
+  },
+  "CVE-2024-37388": {
+    "id": "CVE-2024-37388",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37388",
+    "severity": "Medium"
+  },
+  "CVE-2021-35938": {
+    "id": "CVE-2021-35938",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938",
+    "severity": "Medium"
+  },
+  "CVE-2021-20232": {
+    "id": "CVE-2021-20232",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20232",
+    "severity": "Critical"
+  },
+  "CVE-2021-43813": {
+    "id": "CVE-2021-43813",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43813",
+    "severity": "Medium"
+  },
+  "CVE-2021-42523": {
+    "id": "CVE-2021-42523",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42523",
+    "severity": "High"
+  },
+  "CVE-2023-3354": {
+    "id": "CVE-2023-3354",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3354",
+    "severity": "High"
+  },
+  "CVE-2023-46604": {
+    "id": "CVE-2023-46604",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46604",
+    "severity": "Critical"
+  },
+  "CVE-2021-29338": {
+    "id": "CVE-2021-29338",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29338",
+    "severity": "Medium"
+  },
+  "CVE-2022-45939": {
+    "id": "CVE-2022-45939",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45939",
+    "severity": "High"
+  },
+  "CVE-2024-34062": {
+    "id": "CVE-2024-34062",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34062",
+    "severity": "Medium"
+  },
+  "CVE-2016-0750": {
+    "id": "CVE-2016-0750",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0750",
+    "severity": "High"
+  },
+  "CVE-2023-26545": {
+    "id": "CVE-2023-26545",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545",
+    "severity": "High"
+  },
+  "CVE-2021-3713": {
+    "id": "CVE-2021-3713",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3713",
+    "severity": "High"
+  },
+  "CVE-2022-1328": {
+    "id": "CVE-2022-1328",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1328",
+    "severity": "Medium"
+  },
+  "CVE-2023-3817": {
+    "id": "CVE-2023-3817",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817",
+    "severity": "Medium"
+  },
+  "CVE-2024-21068": {
+    "id": "CVE-2024-21068",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21068",
+    "severity": "High"
+  },
+  "CVE-2019-14744": {
+    "id": "CVE-2019-14744",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14744",
+    "severity": "High"
+  },
+  "CVE-2023-2157": {
+    "id": "CVE-2023-2157",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
+    "severity": "Medium"
+  },
+  "CVE-2022-41853": {
+    "id": "CVE-2022-41853",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853",
+    "severity": "Critical"
+  },
+  "CVE-2016-3709": {
+    "id": "CVE-2016-3709",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3709",
+    "severity": "Medium"
+  },
+  "CVE-2021-3997": {
+    "id": "CVE-2021-3997",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3997",
+    "severity": "Medium"
+  },
+  "CVE-2023-23009": {
+    "id": "CVE-2023-23009",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23009",
+    "severity": "High"
+  },
+  "CVE-2021-45078": {
+    "id": "CVE-2021-45078",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45078",
+    "severity": "High"
+  },
+  "CVE-2022-48682": {
+    "id": "CVE-2022-48682",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48682",
+    "severity": "Medium"
+  },
+  "CVE-2024-0641": {
+    "id": "CVE-2024-0641",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0641",
+    "severity": "Medium"
+  },
+  "CVE-2023-3812": {
+    "id": "CVE-2023-3812",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3812",
+    "severity": "High"
+  },
+  "CVE-2023-4641": {
+    "id": "CVE-2023-4641",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4641",
+    "severity": "Low"
+  },
+  "CVE-2022-25235": {
+    "id": "CVE-2022-25235",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235",
+    "severity": "High"
+  },
+  "CVE-2021-45985": {
+    "id": "CVE-2021-45985",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985",
+    "severity": "High"
+  },
+  "CVE-2021-41229": {
+    "id": "CVE-2021-41229",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41229",
+    "severity": "Medium"
+  },
+  "CVE-2019-13508": {
+    "id": "CVE-2019-13508",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13508",
+    "severity": "Critical"
+  },
+  "CVE-2022-26354": {
+    "id": "CVE-2022-26354",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26354",
+    "severity": "High"
+  },
+  "CVE-2022-47021": {
+    "id": "CVE-2022-47021",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47021",
+    "severity": "High"
+  },
+  "CVE-2020-21428": {
+    "id": "CVE-2020-21428",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21428",
+    "severity": "High"
+  },
+  "CVE-2019-25051": {
+    "id": "CVE-2019-25051",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25051",
+    "severity": "High"
+  },
+  "CVE-2023-2976": {
+    "id": "CVE-2023-2976",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976",
+    "severity": "High"
+  },
+  "CVE-2021-3541": {
+    "id": "CVE-2021-3541",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3541",
+    "severity": "Medium"
+  },
+  "CVE-2021-4011": {
+    "id": "CVE-2021-4011",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4011",
+    "severity": "High"
+  },
+  "CVE-2022-25315": {
+    "id": "CVE-2022-25315",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315",
+    "severity": "Critical"
+  },
+  "CVE-2024-1062": {
+    "id": "CVE-2024-1062",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1062",
+    "severity": "Medium"
+  },
+  "CVE-2024-0409": {
+    "id": "CVE-2024-0409",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0409",
+    "severity": "High"
+  },
+  "CVE-2022-37454": {
+    "id": "CVE-2022-37454",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454",
+    "severity": "Critical"
+  },
+  "CVE-2022-24130": {
+    "id": "CVE-2022-24130",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24130",
+    "severity": "Medium"
+  },
+  "CVE-2020-12762": {
+    "id": "CVE-2020-12762",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762",
+    "severity": "High"
+  },
+  "CVE-2023-29383": {
+    "id": "CVE-2023-29383",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383",
+    "severity": "Low"
+  },
+  "CVE-2023-5841": {
+    "id": "CVE-2023-5841",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841",
+    "severity": "Critical"
+  },
+  "CVE-2022-26691": {
+    "id": "CVE-2022-26691",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26691",
+    "severity": "Medium"
+  },
+  "CVE-2024-38477": {
+    "id": "CVE-2024-38477",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
+    "severity": "High"
+  },
+  "CVE-2022-44789": {
+    "id": "CVE-2022-44789",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44789",
+    "severity": "High"
+  },
+  "CVE-2022-29187": {
+    "id": "CVE-2022-29187",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29187",
+    "severity": "High"
+  },
+  "CVE-2021-28429": {
+    "id": "CVE-2021-28429",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
+    "severity": "Medium"
+  },
+  "CVE-2022-43551": {
+    "id": "CVE-2022-43551",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43551",
+    "severity": "Medium"
+  },
+  "CVE-2023-1994": {
+    "id": "CVE-2023-1994",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1994",
+    "severity": "Medium"
+  },
+  "CVE-2023-49797": {
+    "id": "CVE-2023-49797",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49797",
+    "severity": "High"
+  },
+  "CVE-2020-36323": {
+    "id": "CVE-2020-36323",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36323",
+    "severity": "High"
+  },
+  "CVE-2021-44142": {
+    "id": "CVE-2021-44142",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44142",
+    "severity": "Critical"
+  },
+  "CVE-2023-1668": {
+    "id": "CVE-2023-1668",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1668",
+    "severity": "High"
+  },
+  "CVE-2023-0266": {
+    "id": "CVE-2023-0266",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266",
+    "severity": "High"
+  },
+  "CVE-2021-20288": {
+    "id": "CVE-2021-20288",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20288",
+    "severity": "High"
+  },
+  "CVE-2021-37533": {
+    "id": "CVE-2021-37533",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533",
+    "severity": "Medium"
+  },
+  "CVE-2024-5700": {
+    "id": "CVE-2024-5700",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5700",
+    "severity": "Low"
+  },
+  "CVE-2021-43045": {
+    "id": "CVE-2021-43045",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43045",
+    "severity": "High"
+  },
+  "CVE-2021-3984": {
+    "id": "CVE-2021-3984",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3984",
+    "severity": "High"
+  },
+  "CVE-2021-25740": {
+    "id": "CVE-2021-25740",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25740",
+    "severity": "Low"
+  },
+  "CVE-2020-13936": {
+    "id": "CVE-2020-13936",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
+    "severity": "High"
+  },
+  "CVE-2021-3634": {
+    "id": "CVE-2021-3634",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3634",
+    "severity": "Medium"
+  },
+  "CVE-2021-33515": {
+    "id": "CVE-2021-33515",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33515",
+    "severity": "Medium"
+  },
+  "CVE-2022-3099": {
+    "id": "CVE-2022-3099",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3099",
+    "severity": "High"
+  },
+  "CVE-2023-37732": {
+    "id": "CVE-2023-37732",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37732",
+    "severity": "Medium"
+  },
+  "CVE-2021-3472": {
+    "id": "CVE-2021-3472",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3472",
+    "severity": "High"
+  },
+  "CVE-2021-23807": {
+    "id": "CVE-2021-23807",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23807",
+    "severity": "Critical"
+  },
+  "CVE-2022-23833": {
+    "id": "CVE-2022-23833",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23833",
+    "severity": "High"
+  },
+  "CVE-2021-44879": {
+    "id": "CVE-2021-44879",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44879",
+    "severity": "Medium"
+  },
+  "CVE-2024-30205": {
+    "id": "CVE-2024-30205",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30205",
+    "severity": "Medium"
+  },
+  "CVE-2023-45918": {
+    "id": "CVE-2023-45918",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918",
+    "severity": "Low"
+  },
+  "CVE-2023-0809": {
+    "id": "CVE-2023-0809",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0809",
+    "severity": "Medium"
+  },
+  "CVE-2020-14145": {
+    "id": "CVE-2020-14145",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14145",
+    "severity": "Medium"
+  },
+  "CVE-2021-3575": {
+    "id": "CVE-2021-3575",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3575",
+    "severity": "Medium"
+  },
+  "CVE-2024-35176": {
+    "id": "CVE-2024-35176",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35176",
+    "severity": "Medium"
+  },
+  "CVE-2021-3677": {
+    "id": "CVE-2021-3677",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3677",
+    "severity": "Medium"
+  },
+  "CVE-2023-38428": {
+    "id": "CVE-2023-38428",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428",
+    "severity": "High"
+  },
+  "CVE-2023-4781": {
+    "id": "CVE-2023-4781",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4781",
+    "severity": "High"
+  },
+  "CVE-2022-47952": {
+    "id": "CVE-2022-47952",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47952",
+    "severity": "Low"
+  },
+  "CVE-2022-48468": {
+    "id": "CVE-2022-48468",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48468",
+    "severity": "Critical"
+  },
+  "CVE-2023-4759": {
+    "id": "CVE-2023-4759",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4759",
+    "severity": "High"
+  },
+  "CVE-2023-29406": {
+    "id": "CVE-2023-29406",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+    "severity": "Critical"
+  },
+  "CVE-2019-18934": {
+    "id": "CVE-2019-18934",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18934",
+    "severity": "Medium"
+  },
+  "CVE-2023-52449": {
+    "id": "CVE-2023-52449",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52449",
+    "severity": "High"
+  },
+  "CVE-2020-25211": {
+    "id": "CVE-2020-25211",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25211",
+    "severity": "Medium"
+  },
+  "CVE-2024-31047": {
+    "id": "CVE-2024-31047",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31047",
+    "severity": "Medium"
+  },
+  "CVE-2023-43898": {
+    "id": "CVE-2023-43898",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43898",
+    "severity": "Medium"
+  },
+  "CVE-2022-40982": {
+    "id": "CVE-2022-40982",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
+    "severity": "Medium"
+  },
+  "CVE-2023-45871": {
+    "id": "CVE-2023-45871",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871",
+    "severity": "Medium"
+  },
+  "CVE-2022-22844": {
+    "id": "CVE-2022-22844",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22844",
+    "severity": "Medium"
+  },
+  "CVE-2023-52742": {
+    "id": "CVE-2023-52742",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52742",
+    "severity": "Medium"
+  },
+  "CVE-2024-29018": {
+    "id": "CVE-2024-29018",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+    "severity": "Medium"
+  },
+  "CVE-2016-9606": {
+    "id": "CVE-2016-9606",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9606",
+    "severity": "High"
+  },
+  "CVE-2020-21913": {
+    "id": "CVE-2020-21913",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21913",
+    "severity": "Medium"
+  },
+  "CVE-2023-39197": {
+    "id": "CVE-2023-39197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39197",
+    "severity": "Low"
+  },
+  "CVE-2021-29468": {
+    "id": "CVE-2021-29468",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29468",
+    "severity": "High"
+  },
+  "CVE-2022-29536": {
+    "id": "CVE-2022-29536",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29536",
+    "severity": "Medium"
+  },
+  "CVE-2023-49284": {
+    "id": "CVE-2023-49284",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49284",
+    "severity": "Medium"
+  },
+  "CVE-2022-3341": {
+    "id": "CVE-2022-3341",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3341",
+    "severity": "Medium"
+  },
+  "CVE-2022-21434": {
+    "id": "CVE-2022-21434",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21434",
+    "severity": "Low"
+  },
+  "CVE-2022-45198": {
+    "id": "CVE-2022-45198",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45198",
+    "severity": "High"
+  },
+  "CVE-2019-11459": {
+    "id": "CVE-2019-11459",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11459",
+    "severity": "Medium"
+  },
+  "CVE-2021-27906": {
+    "id": "CVE-2021-27906",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27906",
+    "severity": "Medium"
+  },
+  "CVE-2016-3981": {
+    "id": "CVE-2016-3981",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3981",
+    "severity": "High"
+  },
+  "CVE-2021-2341": {
+    "id": "CVE-2021-2341",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2341",
+    "severity": "High"
+  },
+  "CVE-2024-2511": {
+    "id": "CVE-2024-2511",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511",
+    "severity": "Medium"
+  },
+  "CVE-2023-46219": {
+    "id": "CVE-2023-46219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46219",
+    "severity": "Low"
+  },
+  "CVE-2021-2357": {
+    "id": "CVE-2021-2357",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2357",
+    "severity": "Low"
+  },
+  "CVE-2019-15026": {
+    "id": "CVE-2019-15026",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15026",
+    "severity": "High"
+  },
+  "CVE-2024-26752": {
+    "id": "CVE-2024-26752",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752",
+    "severity": "High"
+  },
+  "CVE-2023-24593": {
+    "id": "CVE-2023-24593",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24593",
+    "severity": "Medium"
+  },
+  "CVE-2022-24765": {
+    "id": "CVE-2022-24765",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24765",
+    "severity": "High"
+  },
+  "CVE-2021-21309": {
+    "id": "CVE-2021-21309",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21309",
+    "severity": "Critical"
+  },
+  "CVE-2021-44141": {
+    "id": "CVE-2021-44141",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44141",
+    "severity": "Medium"
+  },
+  "CVE-2023-4911": {
+    "id": "CVE-2023-4911",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
+    "severity": "High"
+  },
+  "CVE-2020-28282": {
+    "id": "CVE-2020-28282",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282",
+    "severity": "Critical"
+  },
+  "CVE-2021-4034": {
+    "id": "CVE-2021-4034",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4034",
+    "severity": "High"
+  },
+  "CVE-2022-36114": {
+    "id": "CVE-2022-36114",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36114",
+    "severity": "High"
+  },
+  "CVE-2021-35942": {
+    "id": "CVE-2021-35942",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35942",
+    "severity": "Medium"
+  },
+  "CVE-2021-47234": {
+    "id": "CVE-2021-47234",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47234",
+    "severity": "Low"
+  },
+  "CVE-2021-28116": {
+    "id": "CVE-2021-28116",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28116",
+    "severity": "Medium"
+  },
+  "CVE-2021-41133": {
+    "id": "CVE-2021-41133",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41133",
+    "severity": "High"
+  },
+  "CVE-2022-24048": {
+    "id": "CVE-2022-24048",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24048",
+    "severity": "Medium"
+  },
+  "CVE-2023-50269": {
+    "id": "CVE-2023-50269",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50269",
+    "severity": "High"
+  },
+  "CVE-2023-26607": {
+    "id": "CVE-2023-26607",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607",
+    "severity": "High"
+  },
+  "CVE-2022-23308": {
+    "id": "CVE-2022-23308",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308",
+    "severity": "High"
+  },
+  "CVE-2023-22799": {
+    "id": "CVE-2023-22799",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22799",
+    "severity": "Medium"
+  },
+  "CVE-2021-36222": {
+    "id": "CVE-2021-36222",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36222",
+    "severity": "High"
+  },
+  "CVE-2022-22719": {
+    "id": "CVE-2022-22719",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22719",
+    "severity": "High"
+  },
+  "CVE-2020-14352": {
+    "id": "CVE-2020-14352",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14352",
+    "severity": "High"
+  },
+  "CVE-2022-3821": {
+    "id": "CVE-2022-3821",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3821",
+    "severity": "Medium"
+  },
+  "CVE-2021-47154": {
+    "id": "CVE-2021-47154",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47154",
+    "severity": "Medium"
+  },
+  "CVE-2022-1049": {
+    "id": "CVE-2022-1049",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1049",
+    "severity": "High"
+  },
+  "CVE-2023-27534": {
+    "id": "CVE-2023-27534",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27534",
+    "severity": "Medium"
+  },
+  "CVE-2020-35512": {
+    "id": "CVE-2020-35512",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35512",
+    "severity": "High"
+  },
+  "CVE-2021-3996": {
+    "id": "CVE-2021-3996",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3996",
+    "severity": "Medium"
+  },
+  "CVE-2023-6516": {
+    "id": "CVE-2023-6516",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6516",
+    "severity": "High"
+  },
+  "CVE-2023-6176": {
+    "id": "CVE-2023-6176",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176",
+    "severity": "Low"
+  },
+  "CVE-2024-34083": {
+    "id": "CVE-2024-34083",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34083",
+    "severity": "Medium"
+  },
+  "CVE-2021-3927": {
+    "id": "CVE-2021-3927",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3927",
+    "severity": "High"
+  },
+  "CVE-2024-24789": {
+    "id": "CVE-2024-24789",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24789",
+    "severity": "Medium"
+  },
+  "CVE-2021-45942": {
+    "id": "CVE-2021-45942",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45942",
+    "severity": "Medium"
+  },
+  "CVE-2020-29509": {
+    "id": "CVE-2020-29509",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29509",
+    "severity": "Medium"
+  },
+  "CVE-2017-12613": {
+    "id": "CVE-2017-12613",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12613",
+    "severity": "High"
+  },
+  "CVE-2023-38289": {
+    "id": "CVE-2023-38289",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38289",
+    "severity": "Low"
+  },
+  "CVE-2022-0494": {
+    "id": "CVE-2022-0494",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0494",
+    "severity": "High"
+  },
+  "CVE-2022-41723": {
+    "id": "CVE-2022-41723",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+    "severity": "High"
+  },
+  "CVE-2022-20141": {
+    "id": "CVE-2022-20141",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20141",
+    "severity": "High"
+  },
+  "CVE-2022-0572": {
+    "id": "CVE-2022-0572",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572",
+    "severity": "High"
+  },
+  "CVE-2024-39467": {
+    "id": "CVE-2024-39467",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467",
+    "severity": "Medium"
+  },
+  "CVE-2021-20188": {
+    "id": "CVE-2021-20188",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20188",
+    "severity": "High"
+  },
+  "CVE-2021-34141": {
+    "id": "CVE-2021-34141",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34141",
+    "severity": "High"
+  },
+  "CVE-2023-45139": {
+    "id": "CVE-2023-45139",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45139",
+    "severity": "High"
+  },
+  "CVE-2022-2097": {
+    "id": "CVE-2022-2097",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
+    "severity": "High"
+  },
+  "CVE-2021-22904": {
+    "id": "CVE-2021-22904",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22904",
+    "severity": "High"
+  },
+  "CVE-2019-15961": {
+    "id": "CVE-2019-15961",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15961",
+    "severity": "Medium"
+  },
+  "CVE-2024-3651": {
+    "id": "CVE-2024-3651",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+    "severity": "Medium"
+  },
+  "CVE-2023-1095": {
+    "id": "CVE-2023-1095",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1095",
+    "severity": "Medium"
+  },
+  "CVE-2023-38469": {
+    "id": "CVE-2023-38469",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38469",
+    "severity": "Medium"
+  },
+  "CVE-2024-34402": {
+    "id": "CVE-2024-34402",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34402",
+    "severity": "Medium"
+  },
+  "CVE-2022-25147": {
+    "id": "CVE-2022-25147",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25147",
+    "severity": "Critical"
+  },
+  "CVE-2019-17626": {
+    "id": "CVE-2019-17626",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17626",
+    "severity": "Critical"
+  },
+  "CVE-2024-27431": {
+    "id": "CVE-2024-27431",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27431",
+    "severity": "Medium"
+  },
+  "CVE-2022-48554": {
+    "id": "CVE-2022-48554",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48554",
+    "severity": "Medium"
+  },
+  "CVE-2021-3796": {
+    "id": "CVE-2021-3796",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3796",
+    "severity": "High"
+  },
+  "CVE-2021-3981": {
+    "id": "CVE-2021-3981",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3981",
+    "severity": "Low"
+  },
+  "CVE-2023-30608": {
+    "id": "CVE-2023-30608",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30608",
+    "severity": "High"
+  },
+  "CVE-2024-39695": {
+    "id": "CVE-2024-39695",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39695",
+    "severity": "Medium"
+  },
+  "CVE-2022-0943": {
+    "id": "CVE-2022-0943",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0943",
+    "severity": "High"
+  },
+  "CVE-2023-4504": {
+    "id": "CVE-2023-4504",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504",
+    "severity": "High"
+  },
+  "CVE-2019-12067": {
+    "id": "CVE-2019-12067",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12067",
+    "severity": "Medium"
+  },
+  "CVE-2020-15469": {
+    "id": "CVE-2020-15469",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15469",
+    "severity": "Low"
+  },
+  "CVE-2021-35331": {
+    "id": "CVE-2021-35331",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35331",
+    "severity": "High"
+  },
+  "CVE-2021-33638": {
+    "id": "CVE-2021-33638",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33638",
+    "severity": "Critical"
+  },
+  "CVE-2022-29162": {
+    "id": "CVE-2022-29162",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29162",
+    "severity": "Medium"
+  },
+  "CVE-2022-48064": {
+    "id": "CVE-2022-48064",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064",
+    "severity": "Medium"
+  },
+  "CVE-2021-20246": {
+    "id": "CVE-2021-20246",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20246",
+    "severity": "Low"
+  },
+  "CVE-2023-21930": {
+    "id": "CVE-2023-21930",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21930",
+    "severity": "High"
+  },
+  "CVE-2023-38559": {
+    "id": "CVE-2023-38559",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38559",
+    "severity": "Critical"
+  },
+  "CVE-2022-1516": {
+    "id": "CVE-2022-1516",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1516",
+    "severity": "Medium"
+  },
+  "CVE-2022-3134": {
+    "id": "CVE-2022-3134",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3134",
+    "severity": "High"
+  },
+  "CVE-2024-32660": {
+    "id": "CVE-2024-32660",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32660",
+    "severity": "Critical"
+  },
+  "CVE-2023-25136": {
+    "id": "CVE-2023-25136",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25136",
+    "severity": "Medium"
+  },
+  "CVE-2022-45060": {
+    "id": "CVE-2022-45060",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45060",
+    "severity": "High"
+  },
+  "CVE-2019-14900": {
+    "id": "CVE-2019-14900",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14900",
+    "severity": "Medium"
+  },
+  "CVE-2022-2124": {
+    "id": "CVE-2022-2124",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2124",
+    "severity": "High"
+  },
+  "CVE-2021-23336": {
+    "id": "CVE-2021-23336",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23336",
+    "severity": "High"
+  },
+  "CVE-2021-38578": {
+    "id": "CVE-2021-38578",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38578",
+    "severity": "Critical"
+  },
+  "CVE-2021-33036": {
+    "id": "CVE-2021-33036",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33036",
+    "severity": "High"
+  },
+  "CVE-2023-51793": {
+    "id": "CVE-2023-51793",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51793",
+    "severity": "Critical"
+  },
+  "CVE-2024-24892": {
+    "id": "CVE-2024-24892",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24892",
+    "severity": "High"
+  },
+  "CVE-2023-40217": {
+    "id": "CVE-2023-40217",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217",
+    "severity": "Medium"
+  },
+  "CVE-2022-39260": {
+    "id": "CVE-2022-39260",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39260",
+    "severity": "Medium"
+  },
+  "CVE-2022-42012": {
+    "id": "CVE-2022-42012",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012",
+    "severity": "Medium"
+  },
+  "CVE-2023-47100": {
+    "id": "CVE-2023-47100",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100",
+    "severity": "Critical"
+  },
+  "CVE-2019-11098": {
+    "id": "CVE-2019-11098",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11098",
+    "severity": "High"
+  },
+  "CVE-2024-4467": {
+    "id": "CVE-2024-4467",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4467",
+    "severity": "High"
+  },
+  "CVE-2024-5535": {
+    "id": "CVE-2024-5535",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535",
+    "severity": "Medium"
+  },
+  "CVE-2023-41080": {
+    "id": "CVE-2023-41080",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080",
+    "severity": "Medium"
+  },
+  "CVE-2022-41966": {
+    "id": "CVE-2022-41966",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
+    "severity": "High"
+  },
+  "CVE-2023-24056": {
+    "id": "CVE-2023-24056",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24056",
+    "severity": "Critical"
+  },
+  "CVE-2023-4156": {
+    "id": "CVE-2023-4156",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4156",
+    "severity": "Low"
+  },
+  "CVE-2020-28493": {
+    "id": "CVE-2020-28493",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28493",
+    "severity": "Medium"
+  },
+  "CVE-2024-36971": {
+    "id": "CVE-2024-36971",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971",
+    "severity": "Medium"
+  },
+  "CVE-2024-6564": {
+    "id": "CVE-2024-6564",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
+    "severity": "Medium"
+  },
+  "CVE-2022-0175": {
+    "id": "CVE-2022-0175",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0175",
+    "severity": "Medium"
+  },
+  "CVE-2023-1544": {
+    "id": "CVE-2023-1544",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544",
+    "severity": "Medium"
+  },
+  "CVE-2020-27842": {
+    "id": "CVE-2020-27842",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27842",
+    "severity": "Medium"
+  },
+  "CVE-2021-24032": {
+    "id": "CVE-2021-24032",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24032",
+    "severity": "Critical"
+  },
+  "CVE-2024-36039": {
+    "id": "CVE-2024-36039",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36039",
+    "severity": "High"
+  },
+  "CVE-2023-4194": {
+    "id": "CVE-2023-4194",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4194",
+    "severity": "Medium"
+  },
+  "CVE-2021-42717": {
+    "id": "CVE-2021-42717",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42717",
+    "severity": "High"
+  },
+  "CVE-2022-2084": {
+    "id": "CVE-2022-2084",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2084",
+    "severity": "Medium"
+  },
+  "CVE-2023-26130": {
+    "id": "CVE-2023-26130",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26130",
+    "severity": "High"
+  },
+  "CVE-2021-38165": {
+    "id": "CVE-2021-38165",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38165",
+    "severity": "High"
+  },
+  "CVE-2024-36006": {
+    "id": "CVE-2024-36006",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006",
+    "severity": "Medium"
+  },
+  "CVE-2023-0054": {
+    "id": "CVE-2023-0054",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0054",
+    "severity": "High"
+  },
+  "CVE-2023-22999": {
+    "id": "CVE-2023-22999",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22999",
+    "severity": "High"
+  },
+  "CVE-2023-23913": {
+    "id": "CVE-2023-23913",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23913",
+    "severity": "High"
+  },
+  "CVE-2023-26555": {
+    "id": "CVE-2023-26555",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26555",
+    "severity": "Medium"
+  },
+  "CVE-2016-9296": {
+    "id": "CVE-2016-9296",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9296",
+    "severity": "High"
+  },
+  "CVE-2023-28938": {
+    "id": "CVE-2023-28938",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28938",
+    "severity": "Medium"
+  },
+  "CVE-2019-17007": {
+    "id": "CVE-2019-17007",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17007",
+    "severity": "Medium"
+  },
+  "CVE-2023-3576": {
+    "id": "CVE-2023-3576",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3576",
+    "severity": "Medium"
+  },
+  "CVE-2018-16301": {
+    "id": "CVE-2018-16301",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16301",
+    "severity": "High"
+  },
+  "CVE-2023-0666": {
+    "id": "CVE-2023-0666",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+    "severity": "Medium"
+  },
+  "CVE-2020-10735": {
+    "id": "CVE-2020-10735",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10735",
+    "severity": "High"
+  },
+  "CVE-2023-0047": {
+    "id": "CVE-2023-0047",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0047",
+    "severity": "High"
+  },
+  "CVE-2022-45061": {
+    "id": "CVE-2022-45061",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061",
+    "severity": "High"
+  },
+  "CVE-2023-48706": {
+    "id": "CVE-2023-48706",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706",
+    "severity": "Low"
+  },
+  "CVE-2024-34397": {
+    "id": "CVE-2024-34397",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397",
+    "severity": "Low"
+  },
+  "CVE-2021-3571": {
+    "id": "CVE-2021-3571",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3571",
+    "severity": "High"
+  },
+  "CVE-2022-30550": {
+    "id": "CVE-2022-30550",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30550",
+    "severity": "Medium"
+  },
+  "CVE-2020-1695": {
+    "id": "CVE-2020-1695",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1695",
+    "severity": "High"
+  },
+  "CVE-2022-30065": {
+    "id": "CVE-2022-30065",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30065",
+    "severity": "High"
+  },
+  "CVE-2019-17185": {
+    "id": "CVE-2019-17185",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17185",
+    "severity": "Medium"
+  },
+  "CVE-2020-14343": {
+    "id": "CVE-2020-14343",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14343",
+    "severity": "Critical"
+  },
+  "CVE-2024-5458": {
+    "id": "CVE-2024-5458",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5458",
+    "severity": "Medium"
+  },
+  "CVE-2023-0286": {
+    "id": "CVE-2023-0286",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286",
+    "severity": "Medium"
+  },
+  "CVE-2022-42329": {
+    "id": "CVE-2022-42329",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42329",
+    "severity": "Medium"
+  },
+  "CVE-2020-15078": {
+    "id": "CVE-2020-15078",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15078",
+    "severity": "High"
+  },
+  "CVE-2023-51798": {
+    "id": "CVE-2023-51798",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51798",
+    "severity": "Medium"
+  },
+  "CVE-2024-33602": {
+    "id": "CVE-2024-33602",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
+    "severity": "High"
+  },
+  "CVE-2023-6277": {
+    "id": "CVE-2023-6277",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6277",
+    "severity": "Medium"
+  },
+  "CVE-2021-41136": {
+    "id": "CVE-2021-41136",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136",
+    "severity": "Low"
+  },
+  "CVE-2021-43859": {
+    "id": "CVE-2021-43859",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43859",
+    "severity": "High"
+  },
+  "CVE-2023-4459": {
+    "id": "CVE-2023-4459",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459",
+    "severity": "Medium"
+  },
+  "CVE-2023-40546": {
+    "id": "CVE-2023-40546",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40546",
+    "severity": "Medium"
+  },
+  "CVE-2022-2031": {
+    "id": "CVE-2022-2031",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2031",
+    "severity": "Medium"
+  },
+  "CVE-2020-12279": {
+    "id": "CVE-2020-12279",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12279",
+    "severity": "High"
+  },
+  "CVE-2022-38150": {
+    "id": "CVE-2022-38150",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38150",
+    "severity": "High"
+  },
+  "CVE-2021-41991": {
+    "id": "CVE-2021-41991",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41991",
+    "severity": "High"
+  },
+  "CVE-2022-1802": {
+    "id": "CVE-2022-1802",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1802",
+    "severity": "High"
+  },
+  "CVE-2021-22569": {
+    "id": "CVE-2021-22569",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569",
+    "severity": "Medium"
+  },
+  "CVE-2021-30145": {
+    "id": "CVE-2021-30145",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30145",
+    "severity": "High"
+  },
+  "CVE-2020-6950": {
+    "id": "CVE-2020-6950",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6950",
+    "severity": "High"
+  },
+  "CVE-2022-26280": {
+    "id": "CVE-2022-26280",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26280",
+    "severity": "Critical"
+  },
+  "CVE-2022-1674": {
+    "id": "CVE-2022-1674",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1674",
+    "severity": "High"
+  },
+  "CVE-2022-3705": {
+    "id": "CVE-2022-3705",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3705",
+    "severity": "High"
+  },
+  "CVE-2023-23601": {
+    "id": "CVE-2023-23601",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23601",
+    "severity": "Medium"
+  },
+  "CVE-2024-6383": {
+    "id": "CVE-2024-6383",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6383",
+    "severity": "Medium"
+  },
+  "CVE-2018-17942": {
+    "id": "CVE-2018-17942",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17942",
+    "severity": "High"
+  },
+  "CVE-2022-25310": {
+    "id": "CVE-2022-25310",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25310",
+    "severity": "High"
+  },
+  "CVE-2021-45930": {
+    "id": "CVE-2021-45930",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45930",
+    "severity": "Medium"
+  },
+  "CVE-2021-39358": {
+    "id": "CVE-2021-39358",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39358",
+    "severity": "Medium"
+  },
+  "CVE-2023-28772": {
+    "id": "CVE-2023-28772",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28772",
+    "severity": "Medium"
+  },
+  "CVE-2023-40476": {
+    "id": "CVE-2023-40476",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40476",
+    "severity": "High"
+  },
+  "CVE-2024-28182": {
+    "id": "CVE-2024-28182",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182",
+    "severity": "Medium"
+  },
+  "CVE-2021-27135": {
+    "id": "CVE-2021-27135",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27135",
+    "severity": "Critical"
+  },
+  "CVE-2020-28473": {
+    "id": "CVE-2020-28473",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28473",
+    "severity": "Medium"
+  },
+  "CVE-2022-2869": {
+    "id": "CVE-2022-2869",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2869",
+    "severity": "High"
+  },
+  "CVE-2021-3600": {
+    "id": "CVE-2021-3600",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3600",
+    "severity": "Medium"
+  },
+  "CVE-2023-20052": {
+    "id": "CVE-2023-20052",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20052",
+    "severity": "Critical"
+  },
+  "CVE-2024-23196": {
+    "id": "CVE-2024-23196",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196",
+    "severity": "Medium"
+  },
+  "CVE-2023-1264": {
+    "id": "CVE-2023-1264",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264",
+    "severity": "Medium"
+  },
+  "CVE-2023-42465": {
+    "id": "CVE-2023-42465",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42465",
+    "severity": "High"
+  },
+  "CVE-2020-8265": {
+    "id": "CVE-2020-8265",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8265",
+    "severity": "Medium"
+  },
+  "CVE-2021-29505": {
+    "id": "CVE-2021-29505",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505",
+    "severity": "High"
+  },
+  "CVE-2023-2650": {
+    "id": "CVE-2023-2650",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650",
+    "severity": "High"
+  },
+  "CVE-2017-6829": {
+    "id": "CVE-2017-6829",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6829",
+    "severity": "High"
+  },
+  "CVE-2019-15144": {
+    "id": "CVE-2019-15144",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15144",
+    "severity": "High"
+  },
+  "CVE-2024-1048": {
+    "id": "CVE-2024-1048",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1048",
+    "severity": "Low"
+  },
+  "CVE-2023-39129": {
+    "id": "CVE-2023-39129",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129",
+    "severity": "Medium"
+  },
+  "CVE-2024-22211": {
+    "id": "CVE-2024-22211",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22211",
+    "severity": "Low"
+  },
+  "CVE-2024-40971": {
+    "id": "CVE-2024-40971",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971",
+    "severity": "High"
+  },
+  "CVE-2023-41913": {
+    "id": "CVE-2023-41913",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41913",
+    "severity": "Critical"
+  },
+  "CVE-2024-4741": {
+    "id": "CVE-2024-4741",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4741",
+    "severity": "Critical"
+  },
+  "CVE-2024-20952": {
+    "id": "CVE-2024-20952",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+    "severity": "High"
+  },
+  "CVE-2022-3028": {
+    "id": "CVE-2022-3028",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028",
+    "severity": "High"
+  },
+  "CVE-2023-41419": {
+    "id": "CVE-2023-41419",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41419",
+    "severity": "Critical"
+  },
+  "CVE-2023-5380": {
+    "id": "CVE-2023-5380",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5380",
+    "severity": "High"
+  },
+  "CVE-2021-27219": {
+    "id": "CVE-2021-27219",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27219",
+    "severity": "High"
+  },
+  "CVE-2021-25743": {
+    "id": "CVE-2021-25743",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25743",
+    "severity": "Low"
+  },
+  "CVE-2024-27074": {
+    "id": "CVE-2024-27074",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074",
+    "severity": "Medium"
+  },
+  "CVE-2021-3522": {
+    "id": "CVE-2021-3522",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3522",
+    "severity": "Medium"
+  },
+  "CVE-2023-30630": {
+    "id": "CVE-2023-30630",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30630",
+    "severity": "Medium"
+  },
+  "CVE-2021-28834": {
+    "id": "CVE-2021-28834",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28834",
+    "severity": "Critical"
+  },
+  "CVE-2024-24785": {
+    "id": "CVE-2024-24785",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24785",
+    "severity": "High"
+  },
+  "CVE-2020-12059": {
+    "id": "CVE-2020-12059",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12059",
+    "severity": "High"
+  },
+  "CVE-2021-28168": {
+    "id": "CVE-2021-28168",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
+    "severity": "Medium"
+  },
+  "CVE-2021-21285": {
+    "id": "CVE-2021-21285",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21285",
+    "severity": "Medium"
+  },
+  "CVE-2021-3753": {
+    "id": "CVE-2021-3753",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3753",
+    "severity": "Medium"
+  },
+  "CVE-2023-6610": {
+    "id": "CVE-2023-6610",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610",
+    "severity": "High"
+  },
+  "CVE-2021-42376": {
+    "id": "CVE-2021-42376",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42376",
+    "severity": "High"
+  },
+  "CVE-2023-3966": {
+    "id": "CVE-2023-3966",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3966",
+    "severity": "High"
+  },
+  "CVE-2021-3618": {
+    "id": "CVE-2021-3618",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3618",
+    "severity": "High"
+  },
+  "CVE-2024-32473": {
+    "id": "CVE-2024-32473",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32473",
+    "severity": "Medium"
+  },
+  "CVE-2020-10759": {
+    "id": "CVE-2020-10759",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10759",
+    "severity": "Medium"
+  },
+  "CVE-2023-23583": {
+    "id": "CVE-2023-23583",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23583",
+    "severity": "High"
+  },
+  "CVE-2021-37750": {
+    "id": "CVE-2021-37750",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37750",
+    "severity": "Medium"
+  },
+  "CVE-2022-1122": {
+    "id": "CVE-2022-1122",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1122",
+    "severity": "Medium"
+  },
+  "CVE-2022-20572": {
+    "id": "CVE-2022-20572",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20572",
+    "severity": "High"
+  },
+  "CVE-2021-43797": {
+    "id": "CVE-2021-43797",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
+    "severity": "Medium"
+  },
+  "CVE-2021-3429": {
+    "id": "CVE-2021-3429",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3429",
+    "severity": "Medium"
+  },
+  "CVE-2023-50447": {
+    "id": "CVE-2023-50447",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50447",
+    "severity": "High"
+  },
+  "CVE-2022-31197": {
+    "id": "CVE-2022-31197",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31197",
+    "severity": "High"
+  },
+  "CVE-2020-15180": {
+    "id": "CVE-2020-15180",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15180",
+    "severity": "High"
+  },
+  "CVE-2022-31779": {
+    "id": "CVE-2022-31779",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31779",
+    "severity": "High"
+  },
+  "CVE-2021-29946": {
+    "id": "CVE-2021-29946",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29946",
+    "severity": "High"
+  },
+  "CVE-2024-38540": {
+    "id": "CVE-2024-38540",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540",
+    "severity": "Medium"
+  },
+  "CVE-2013-0340": {
+    "id": "CVE-2013-0340",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340",
+    "severity": "Medium"
+  },
+  "CVE-2022-0204": {
+    "id": "CVE-2022-0204",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0204",
+    "severity": "High"
+  },
+  "CVE-2020-14339": {
+    "id": "CVE-2020-14339",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14339",
+    "severity": "High"
+  },
+  "CVE-2024-5206": {
+    "id": "CVE-2024-5206",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5206",
+    "severity": "Medium"
+  },
+  "CVE-2022-4662": {
+    "id": "CVE-2022-4662",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4662",
+    "severity": "Medium"
+  },
+  "CVE-2022-22755": {
+    "id": "CVE-2022-22755",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22755",
+    "severity": "High"
+  },
+  "CVE-2023-32700": {
+    "id": "CVE-2023-32700",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32700",
+    "severity": "High"
+  },
+  "CVE-2022-20153": {
+    "id": "CVE-2022-20153",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20153",
+    "severity": "Medium"
+  },
+  "CVE-2022-1292": {
+    "id": "CVE-2022-1292",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292",
+    "severity": "Medium"
+  },
+  "CVE-2021-36770": {
+    "id": "CVE-2021-36770",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36770",
+    "severity": "High"
+  },
+  "CVE-2020-36229": {
+    "id": "CVE-2020-36229",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36229",
+    "severity": "High"
+  },
+  "CVE-2022-1785": {
+    "id": "CVE-2022-1785",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1785",
+    "severity": "High"
+  },
+  "CVE-2021-42574": {
+    "id": "CVE-2021-42574",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42574",
+    "severity": "High"
+  },
+  "CVE-2020-28407": {
+    "id": "CVE-2020-28407",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28407",
+    "severity": "Medium"
+  },
+  "CVE-2022-0336": {
+    "id": "CVE-2022-0336",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0336",
+    "severity": "High"
+  },
+  "CVE-2020-26950": {
+    "id": "CVE-2020-26950",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26950",
+    "severity": "High"
+  },
+  "CVE-2022-30594": {
+    "id": "CVE-2022-30594",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30594",
+    "severity": "Medium"
+  },
+  "CVE-2022-3324": {
+    "id": "CVE-2022-3324",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3324",
+    "severity": "High"
+  },
+  "CVE-2023-32559": {
+    "id": "CVE-2023-32559",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32559",
+    "severity": "High"
+  },
+  "CVE-2023-37464": {
+    "id": "CVE-2023-37464",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37464",
+    "severity": "High"
+  },
+  "CVE-2023-43789": {
+    "id": "CVE-2023-43789",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43789",
+    "severity": "Medium"
+  },
+  "CVE-2024-26922": {
+    "id": "CVE-2024-26922",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922",
+    "severity": "Medium"
+  },
+  "CVE-2023-43115": {
+    "id": "CVE-2023-43115",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43115",
+    "severity": "Critical"
+  },
+  "CVE-2019-8842": {
+    "id": "CVE-2019-8842",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8842",
+    "severity": "Low"
+  },
+  "CVE-2022-27406": {
+    "id": "CVE-2022-27406",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27406",
+    "severity": "Critical"
+  },
+  "CVE-2022-1616": {
+    "id": "CVE-2022-1616",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1616",
+    "severity": "Critical"
+  },
+  "CVE-2021-3580": {
+    "id": "CVE-2021-3580",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3580",
+    "severity": "High"
+  },
+  "CVE-2024-6409": {
+    "id": "CVE-2024-6409",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
+    "severity": "High"
+  },
+  "CVE-2016-9136": {
+    "id": "CVE-2016-9136",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9136",
+    "severity": "Medium"
+  },
+  "CVE-2022-1552": {
+    "id": "CVE-2022-1552",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1552",
+    "severity": "High"
+  },
+  "CVE-2023-0361": {
+    "id": "CVE-2023-0361",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0361",
+    "severity": "Medium"
+  },
+  "CVE-2022-47016": {
+    "id": "CVE-2022-47016",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47016",
+    "severity": "High"
+  },
+  "CVE-2023-33288": {
+    "id": "CVE-2023-33288",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33288",
+    "severity": "Medium"
+  },
+  "CVE-2022-2000": {
+    "id": "CVE-2022-2000",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2000",
+    "severity": "High"
+  },
+  "CVE-2021-37619": {
+    "id": "CVE-2021-37619",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37619",
+    "severity": "Medium"
+  },
+  "CVE-2020-35738": {
+    "id": "CVE-2020-35738",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35738",
+    "severity": "Medium"
+  },
+  "CVE-2022-39318": {
+    "id": "CVE-2022-39318",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39318",
+    "severity": "High"
+  },
+  "CVE-2021-41183": {
+    "id": "CVE-2021-41183",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41183",
+    "severity": "Medium"
+  },
+  "CVE-2023-52425": {
+    "id": "CVE-2023-52425",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425",
+    "severity": "High"
+  },
+  "CVE-2023-3255": {
+    "id": "CVE-2023-3255",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3255",
+    "severity": "Medium"
+  },
+  "CVE-2023-0437": {
+    "id": "CVE-2023-0437",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0437",
+    "severity": "Medium"
+  },
+  "CVE-2020-8284": {
+    "id": "CVE-2020-8284",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284",
+    "severity": "High"
+  },
+  "CVE-2023-22081": {
+    "id": "CVE-2023-22081",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+    "severity": "Medium"
+  },
+  "CVE-2022-33099": {
+    "id": "CVE-2022-33099",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33099",
+    "severity": "High"
+  },
+  "CVE-2023-25725": {
+    "id": "CVE-2023-25725",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
+    "severity": "Medium"
+  },
+  "CVE-2023-1108": {
+    "id": "CVE-2023-1108",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
+    "severity": "High"
+  },
+  "CVE-2021-40732": {
+    "id": "CVE-2021-40732",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40732",
+    "severity": "Medium"
+  },
+  "CVE-2021-29425": {
+    "id": "CVE-2021-29425",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
+    "severity": "Medium"
+  },
+  "CVE-2023-1829": {
+    "id": "CVE-2023-1829",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829",
+    "severity": "Medium"
+  },
+  "CVE-2022-33967": {
+    "id": "CVE-2022-33967",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33967",
+    "severity": "Medium"
+  },
+  "CVE-2022-20001": {
+    "id": "CVE-2022-20001",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20001",
+    "severity": "High"
+  },
+  "CVE-2022-42252": {
+    "id": "CVE-2022-42252",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42252",
+    "severity": "High"
+  },
+  "CVE-2019-16779": {
+    "id": "CVE-2019-16779",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16779",
+    "severity": "Medium"
+  },
+  "CVE-2023-3592": {
+    "id": "CVE-2023-3592",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3592",
+    "severity": "High"
+  },
+  "CVE-2021-33560": {
+    "id": "CVE-2021-33560",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560",
+    "severity": "High"
+  },
+  "CVE-2023-4128": {
+    "id": "CVE-2023-4128",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4128",
+    "severity": "Medium"
+  },
+  "CVE-2022-4515": {
+    "id": "CVE-2022-4515",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
+    "severity": "High"
+  },
+  "CVE-2022-3924": {
+    "id": "CVE-2022-3924",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3924",
+    "severity": "High"
+  },
+  "CVE-2023-2603": {
+    "id": "CVE-2023-2603",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603",
+    "severity": "Low"
+  },
+  "CVE-2021-27138": {
+    "id": "CVE-2021-27138",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27138",
+    "severity": "High"
+  },
+  "CVE-2022-4450": {
+    "id": "CVE-2022-4450",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450",
+    "severity": "High"
+  },
+  "CVE-2019-13377": {
+    "id": "CVE-2019-13377",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13377",
+    "severity": "Medium"
+  },
+  "CVE-2022-41318": {
+    "id": "CVE-2022-41318",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41318",
+    "severity": "Medium"
+  },
+  "CVE-2015-8011": {
+    "id": "CVE-2015-8011",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8011",
+    "severity": "High"
+  },
+  "CVE-2022-3628": {
+    "id": "CVE-2022-3628",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3628",
+    "severity": "Medium"
+  },
+  "CVE-2021-29136": {
+    "id": "CVE-2021-29136",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29136",
+    "severity": "Medium"
+  },
+  "CVE-2023-45667": {
+    "id": "CVE-2023-45667",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45667",
+    "severity": "Critical"
+  },
+  "CVE-2020-13112": {
+    "id": "CVE-2020-13112",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13112",
+    "severity": "Critical"
+  },
+  "CVE-2024-0567": {
+    "id": "CVE-2024-0567",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567",
+    "severity": "Medium"
+  },
+  "CVE-2022-32205": {
+    "id": "CVE-2022-32205",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32205",
+    "severity": "Medium"
+  },
+  "CVE-2021-41039": {
+    "id": "CVE-2021-41039",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41039",
+    "severity": "High"
+  },
+  "CVE-2021-38208": {
+    "id": "CVE-2021-38208",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38208",
+    "severity": "Medium"
+  },
+  "CVE-2021-3712": {
+    "id": "CVE-2021-3712",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
+    "severity": "High"
+  },
+  "CVE-2023-50230": {
+    "id": "CVE-2023-50230",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50230",
+    "severity": "High"
+  },
+  "CVE-2024-26601": {
+    "id": "CVE-2024-26601",
+    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601",
+    "severity": "Medium"
+  }
+}
\ No newline at end of file
diff --git a/cvrf_sainfos.json b/cvrf_sainfos.json
new file mode 100644
index 0000000..59faa00
--- /dev/null
+++ b/cvrf_sainfos.json
@@ -0,0 +1,42910 @@
+{
+  "openEuler-SA-2022-2145": {
+    "id": "openEuler-SA-2022-2145",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2145",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21271)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21426)",
+    "cves": [
+      {
+        "id": "CVE-2022-21426",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21426",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1542": {
+    "id": "openEuler-SA-2023-1542",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1542",
+    "title": "An update for qpdf is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "QPDF is a command-line program that does structural, content-preserving transformations on PDF files. It could have been called something like pdf-to-pdf. It also provides many useful capabilities to developers of PDF-producing software or for people who just want to look at the innards of a PDF file to learn more about how they work.\n\nSecurity Fix(es):\n\nAn issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf.(CVE-2021-25786)",
+    "cves": [
+      {
+        "id": "CVE-2021-25786",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25786",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1703": {
+    "id": "openEuler-SA-2023-1703",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1703",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n(CVE-2023-4504)",
+    "cves": [
+      {
+        "id": "CVE-2023-4504",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1738": {
+    "id": "openEuler-SA-2023-1738",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1738",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22036)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1465": {
+    "id": "openEuler-SA-2024-1465",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1465",
+    "title": "An update for docker is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\r\n\r\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\r\n\r\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\r\n\r\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\r\n\r\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\r\n\r\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\r\n\r\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\r\n\r\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\r\n\r\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\r\n\r\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)",
+    "cves": [
+      {
+        "id": "CVE-2024-29018",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1996": {
+    "id": "openEuler-SA-2023-1996",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1996",
+    "title": "An update for mybatis is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools. To use the MyBatis data mapper, you rely on your own objects, XML, and SQL. There is little to learn that you don't already know. With the MyBatis data mapper, you have the full power of both SQL and stored procedures at your fingertips. The MyBatis project is developed and maintained by a team that includes the original creators of the \"iBATIS\" data mapper. The Apache project was retired and continued here.\r\n\r\nSecurity Fix(es):\r\n\r\nA SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.(CVE-2023-25330)",
+    "cves": [
+      {
+        "id": "CVE-2023-25330",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25330",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1300": {
+    "id": "openEuler-SA-2021-1300",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1300",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.(CVE-2021-22924)",
+    "cves": [
+      {
+        "id": "CVE-2021-22924",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1918": {
+    "id": "openEuler-SA-2022-1918",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1918",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\t\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\n\t\tYou can refer to https://www.qemu.org for more infortmation.\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.(CVE-2020-14394)",
+    "cves": [
+      {
+        "id": "CVE-2020-14394",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14394",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1791": {
+    "id": "openEuler-SA-2024-1791",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1791",
+    "title": "An update for golang is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": ".\r\n\r\nSecurity Fix(es):\r\n\r\nThe archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.(CVE-2024-24789)",
+    "cves": [
+      {
+        "id": "CVE-2024-24789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24789",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1884": {
+    "id": "openEuler-SA-2022-1884",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1884",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.(CVE-2021-20298)",
+    "cves": [
+      {
+        "id": "CVE-2021-20298",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20298",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2096": {
+    "id": "openEuler-SA-2022-2096",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2096",
+    "title": "An update for xmlrpc is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Apache XML-RPC was previously known as Helma XML-RPC. If you have code using the Helma library, all you should have to do is change the import statements in your code from helma.xmlrpc.* to org.apache.xmlrpc.*.\r\n\r\nSecurity Fix(es):\r\n\r\nAn untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.(CVE-2019-17570)",
+    "cves": [
+      {
+        "id": "CVE-2019-17570",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17570",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1310": {
+    "id": "openEuler-SA-2024-1310",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1310",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019)\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.(CVE-2023-6683)\r\n\r\nA stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.(CVE-2023-6693)",
+    "cves": [
+      {
+        "id": "CVE-2023-6693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1726": {
+    "id": "openEuler-SA-2023-1726",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1726",
+    "title": "An update for grpc is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "gRPC is a modern open source high performance RPC framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services.\r\n\r\nSecurity Fix(es):\r\n\r\nLack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. (CVE-2023-4785)",
+    "cves": [
+      {
+        "id": "CVE-2023-4785",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1648": {
+    "id": "openEuler-SA-2024-1648",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1648",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/slub: fix to return errno if kmalloc() fails\r\n\r\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\r\n\r\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\r\n\r\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568(CVE-2022-48659)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\r\n\r\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.(CVE-2022-48660)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path.  This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng.  The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\r\n\r\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.(CVE-2023-52616)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\r\n\r\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\r\n\r\n  WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n  CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n  ......\n  Call Trace:\n   <TASK>\n   ? __warn+0xa5/0x240\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? report_bug+0x1ba/0x1f0\n   ? handle_bug+0x40/0x80\n   ? exc_invalid_op+0x18/0x50\n   ? asm_exc_invalid_op+0x1b/0x20\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ? rcu_lockdep_current_cpu_online+0x65/0xb0\n   ? rcu_is_watching+0x23/0x50\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ___bpf_prog_run+0x513/0x3b70\n   __bpf_prog_run32+0x9d/0xd0\n   ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n   ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n   bpf_trampoline_6442580665+0x4d/0x1000\n   __x64_sys_getpgid+0x5/0x30\n   ? do_syscall_64+0x36/0xb0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   </TASK>(CVE-2023-52621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[   57.202521] =============================\n[   57.202522] WARNING: suspicious RCU usage\n[   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[   57.202525] -----------------------------\n[   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[   57.202527]\n               other info that might help us debug this:\r\n\r\n[   57.202528]\n               rcu_scheduler_active = 2, debug_locks = 1\n[   57.202529] no locks held by test5/3567.\n[   57.202530]\n               stack backtrace:\n[   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[   57.202536] Call Trace:\n[   57.202537]  <TASK>\n[   57.202540]  dump_stack_lvl+0x77/0xb0\n[   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0\n[   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202866]  write_cache_pages+0x265/0x450\n[   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202913]  do_writepages+0xd2/0x230\n[   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80\n[   57.202921]  filemap_fdatawrite_wbc+0x67/0x80\n[   57.202924]  filemap_write_and_wait_range+0xd9/0x170\n[   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202969]  __se_sys_close+0x46/0xd0\n[   57.202972]  do_syscall_64+0x68/0x100\n[   57.202975]  ? do_syscall_64+0x77/0x100\n[   57.202976]  ? do_syscall_64+0x77/0x100\n[   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[   57.202982] RIP: 0033:0x7fe2b12e4a94\n[   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[   57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: time-travel: fix time corruption\r\n\r\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\r\n\r\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.(CVE-2023-52633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n        echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n        echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428\n<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c\n<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428\nkworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227\nvendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532\nvendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428\nxxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][    C4] Mem abort info:\n[ 9436.261666][    C4]   ESR = 0x96000044\n[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][    C4]   SET = 0, FnV = 0\n[ 9436.261673][    C4]   EA = 0, S1PTW = 0\n[ 9436.261675][    C4] Data abort info:\n[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044\n[ 9436.261680][    C4]   CM = 0, WnR = 1\n[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)\n[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][    C4] sp : ffffffc010023dd0\n[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\r\n\r\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\r\n\r\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\r\n\r\n CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n  print_report+0xd3/0x620\n  ? kasan_complete_mode_report_info+0x7d/0x200\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  kasan_report+0xc2/0x100\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  __asan_load4+0x84/0xb0\n  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  j1939_sk_recv+0x20b/0x320 [can_j1939]\n  ? __kasan_check_write+0x18/0x20\n  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n  ? j1939_simple_recv+0x69/0x280 [can_j1939]\n  ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n  j1939_can_recv+0x43f/0x580 [can_j1939]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  ? raw_rcv+0x42/0x3c0 [can_raw]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  can_rcv_filter+0x11f/0x350 [can]\n  can_receive+0x12f/0x190 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  can_rcv+0xdd/0x130 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  __netif_receive_skb_one_core+0x13d/0x150\n  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n  ? __kasan_check_write+0x18/0x20\n  ? _raw_spin_lock_irq+0x8c/0xe0\n  __netif_receive_skb+0x23/0xb0\n  process_backlog+0x107/0x260\n  __napi_poll+0x69/0x310\n  net_rx_action+0x2a1/0x580\n  ? __pfx_net_rx_action+0x10/0x10\n  ? __pfx__raw_spin_lock+0x10/0x10\n  ? handle_irq_event+0x7d/0xa0\n  __do_softirq+0xf3/0x3f8\n  do_softirq+0x53/0x80\n  </IRQ>\n  <TASK>\n  __local_bh_enable_ip+0x6e/0x70\n  netif_rx+0x16b/0x180\n  can_send+0x32b/0x520 [can]\n  ? __pfx_can_send+0x10/0x10 [can]\n  ? __check_object_size+0x299/0x410\n  raw_sendmsg+0x572/0x6d0 [can_raw]\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  ? apparmor_socket_sendmsg+0x2f/0x40\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  sock_sendmsg+0xef/0x100\n  sock_write_iter+0x162/0x220\n  ? __pfx_sock_write_iter+0x10/0x10\n  ? __rtnl_unlock+0x47/0x80\n  ? security_file_permission+0x54/0x320\n  vfs_write+0x6ba/0x750\n  ? __pfx_vfs_write+0x10/0x10\n  ? __fget_light+0x1ca/0x1f0\n  ? __rcu_read_unlock+0x5b/0x280\n  ksys_write+0x143/0x170\n  ? __pfx_ksys_write+0x10/0x10\n  ? __kasan_check_read+0x15/0x20\n  ? fpregs_assert_state_consistent+0x62/0x70\n  __x64_sys_write+0x47/0x60\n  do_syscall_64+0x60/0x90\n  ? do_syscall_64+0x6d/0x90\n  ? irqentry_exit+0x3f/0x50\n  ? exc_page_fault+0x79/0xf0\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Allocated by task 348:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_alloc_info+0x1f/0x30\n  __kasan_kmalloc+0xb5/0xc0\n  __kmalloc_node_track_caller+0x67/0x160\n  j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Freed by task 349:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_free_info+0x2f/0x50\n  __kasan_slab_free+0x12e/0x1c0\n  __kmem_cache_free+0x1b9/0x380\n  kfree+0x7a/0x120\n  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2023-52637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: vsie: fix race during shadow creation\r\n\r\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash.  This is due to the\nfact that we add gmap->private == kvm after creation:\r\n\r\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n                               struct vsie_page *vsie_page)\n{\n[...]\n        gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n        if (IS_ERR(gmap))\n                return PTR_ERR(gmap);\n        gmap->private = vcpu->kvm;\r\n\r\nLet children inherit the private field of the parent.(CVE-2023-52639)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\r\n\r\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\r\n\r\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---(CVE-2023-52644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Guard stack limits against 32bit overflow\r\n\r\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\r\n\r\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904(CVE-2023-52676)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type.  Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there's no cast to\nany 64-bit type before multiplication.  Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.(CVE-2023-52690)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\r\n\r\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.(CVE-2023-52694)\r\n\r\nA race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: fix a memory corruption\r\n\r\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we'll write past the buffer.(CVE-2024-26610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet's remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page->mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow anonymous set with timeout flag\r\n\r\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Ensure visibility when inserting an element into tracing_map\r\n\r\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\r\n\r\n $ while true; do\n     echo hist:key=id.syscall:val=hitcount > \\\n       /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n     cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n     sleep 0.001\n   done\n $ stress-ng --sysbadaddr $(nproc)\r\n\r\nThe warning looks as follows:\r\n\r\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220]  hist_show+0x124/0x800\n[ 2911.195692]  seq_read_iter+0x1d4/0x4e8\n[ 2911.196193]  seq_read+0xe8/0x138\n[ 2911.196638]  vfs_read+0xc8/0x300\n[ 2911.197078]  ksys_read+0x70/0x108\n[ 2911.197534]  __arm64_sys_read+0x24/0x38\n[ 2911.198046]  invoke_syscall+0x78/0x108\n[ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157]  do_el0_svc+0x28/0x40\n[ 2911.199613]  el0_svc+0x40/0x178\n[ 2911.200048]  el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621]  el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\r\n\r\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\r\n\r\nThe check for the presence of an element with a given key in this\nfunction is:\r\n\r\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\r\n\r\nThe write of a new entry is:\r\n\r\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\r\n\r\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---(CVE-2024-26645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\r\n\r\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.(CVE-2024-26661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntunnels: fix out of bounds access when building IPv6 PMTU error\r\n\r\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\r\n\r\n  BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n  Read of size 4 at addr ffff88811d402c80 by task netperf/820\n  CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n  ...\n   kasan_report+0xd8/0x110\n   do_csum+0x220/0x240\n   csum_partial+0xc/0x20\n   skb_tunnel_check_pmtu+0xeb9/0x3280\n   vxlan_xmit_one+0x14c2/0x4080\n   vxlan_xmit+0xf61/0x5c00\n   dev_hard_start_xmit+0xfb/0x510\n   __dev_queue_xmit+0x7cd/0x32a0\n   br_dev_queue_push_xmit+0x39d/0x6a0\r\n\r\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.(CVE-2024-26665)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n  __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n  __alloc_pages_node include/linux/gfp.h:238 [inline]\n  alloc_pages_node include/linux/gfp.h:261 [inline]\n  __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n  __do_kmalloc_node mm/slub.c:3969 [inline]\n  __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n  kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n  __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n  __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n  netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n  dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n  ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n  ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n  tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n  tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n  receive_buf drivers/tty/tty_buffer.c:444 [inline]\n  flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: read sk->sk_family once in inet_recv_error()\r\n\r\ninet_recv_error() is called without holding the socket lock.\r\n\r\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.(CVE-2024-26679)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\r\n\r\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.(CVE-2024-26684)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential bug in end_buffer_async_write\r\n\r\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\r\n\r\nNilfs2 itself does not use end_buffer_async_write().  But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\r\n\r\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent.  However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device.  This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\r\n\r\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\r\n\r\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.(CVE-2024-26685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup.  If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix data corruption in dsync block recovery for small block sizes\r\n\r\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache.  In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\r\n\r\nFix these issues by correcting this byte offset calculation on the page.(CVE-2024-26697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\r\n\r\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.(CVE-2024-26702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Fix random data corruption from exception handler\r\n\r\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\r\n\r\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\r\n\r\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\r\n\r\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.(CVE-2024-26706)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\r\n\r\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\r\n\r\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\r\n\r\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n <IRQ>\n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\r\n\r\nThis issue is also found in older kernels (at least up to 5.10).(CVE-2024-26707)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/kasan: Fix addr error caused by page alignment\r\n\r\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\r\n\r\nAs a result, memory overwriting occurs.\r\n\r\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\r\n\r\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.(CVE-2024-26712)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\r\n\r\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64().  On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\r\n\r\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\r\n\r\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\r\n\r\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)(CVE-2024-26720)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't drop extent_map for free space inode on write error\r\n\r\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\r\n\r\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n <TASK>\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again.  However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping.  Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\r\n\r\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping.  This is\nnormal for normal files, but the free space cache inode is special.  We\nalways expect the extent map to be correct.  Thus the second time\nthrough we end up with a bogus extent map.\r\n\r\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\r\n\r\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce.  With this patch in place we no longer panic\nwith my error injection test.(CVE-2024-26726)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narp: Prevent overflow in arp_req_get().\r\n\r\nsyzkaller reported an overflown write in arp_req_get(). [0]\r\n\r\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\r\n\r\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\r\n\r\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags.  We initialise the field just after the memcpy(), so it's\nnot a problem.\r\n\r\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\r\n\r\nTo avoid the overflow, let's limit the max length of memcpy().\r\n\r\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\r\n\r\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>(CVE-2024-26733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\r\n\r\nMake an unregister in case of unsuccessful registration.(CVE-2024-26734)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix possible use-after-free and null-ptr-deref\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.(CVE-2024-26735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: use the backlog for mirred ingress\r\n\r\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\r\n\r\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\r\n\r\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.(CVE-2024-26740)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/qedr: Fix qedr_create_user_qp error flow\r\n\r\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\r\n\r\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--(CVE-2024-26743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Support specifying the srpt_service_guid parameter\r\n\r\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76(CVE-2024-26744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\r\n\r\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n      df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n      3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS:  00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0(CVE-2024-26754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm-crypt: don't modify the data when using authenticated encryption\r\n\r\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\r\n\r\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\r\n\r\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/(CVE-2024-26763)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\r\n\r\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\r\n\r\n    Unable to handle kernel NULL pointer dereference at virtual\n  address 0000000000000008\n    Call trace:\n        complete+0x54/0x100\n        hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n        __handle_irq_event_percpu+0x64/0x1e0\n        handle_irq_event+0x7c/0x1cc(CVE-2024-26776)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix double-free on socket dismantle\r\n\r\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\r\n\r\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\r\n\r\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   <IRQ>\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   </IRQ>\n   <TASK>\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   </TASK>\r\n\r\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\r\n\r\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\r\n\r\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\r\n\r\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---(CVE-2024-26782)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\r\n\r\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\r\n\r\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\r\n\r\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\r\n\r\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.(CVE-2024-26787)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Avoid potential use-after-free in hci_error_reset\r\n\r\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\r\n\r\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\r\n\r\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.(CVE-2024-26801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\r\n\r\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\r\n\r\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---(CVE-2024-26805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\r\n\r\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.(CVE-2024-26808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\r\n\r\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\r\n\r\nThis fix requires:\r\n\r\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\r\n\r\nwhich came after:\r\n\r\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").(CVE-2024-26809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\r\n\r\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\r\n\r\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\r\n\r\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...(CVE-2024-26881)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix kmemleak of rdev->serial\r\n\r\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\r\n\r\nunreferenced object 0xffff88815a350000 (size 49152):\n  comm \"mdadm\", pid 789, jiffies 4294716910\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc f773277a):\n    [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n    [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n    [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n    [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n    [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n    [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n    [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n    [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n    [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n    [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n    [<0000000085086a11>] vfs_ioctl+0x22/0x60\n    [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n    [<00000000e54e675e>] do_syscall_64+0x71/0x150\n    [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74(CVE-2024-26900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\r\n\r\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\r\n\r\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n  [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G           OE      6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS:  00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <TASK>\n  ? show_regs+0x72/0x90\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? __warn+0x8d/0x160\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? report_bug+0x1bb/0x1d0\n  ? handle_bug+0x46/0x90\n  ? exc_invalid_op+0x19/0x80\n  ? asm_exc_invalid_op+0x1b/0x20\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n  ipoib_send+0x2ec/0x770 [ib_ipoib]\n  ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n  dev_hard_start_xmit+0x8e/0x1e0\n  ? validate_xmit_skb_list+0x4d/0x80\n  sch_direct_xmit+0x116/0x3a0\n  __dev_xmit_skb+0x1fd/0x580\n  __dev_queue_xmit+0x284/0x6b0\n  ? _raw_spin_unlock_irq+0xe/0x50\n  ? __flush_work.isra.0+0x20d/0x370\n  ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n  neigh_connected_output+0xcd/0x110\n  ip_finish_output2+0x179/0x480\n  ? __smp_call_single_queue+0x61/0xa0\n  __ip_finish_output+0xc3/0x190\n  ip_finish_output+0x2e/0xf0\n  ip_output+0x78/0x110\n  ? __pfx_ip_finish_output+0x10/0x10\n  ip_local_out+0x64/0x70\n  __ip_queue_xmit+0x18a/0x460\n  ip_queue_xmit+0x15/0x30\n  __tcp_transmit_skb+0x914/0x9c0\n  tcp_write_xmit+0x334/0x8d0\n  tcp_push_one+0x3c/0x60\n  tcp_sendmsg_locked+0x2e1/0xac0\n  tcp_sendmsg+0x2d/0x50\n  inet_sendmsg+0x43/0x90\n  sock_sendmsg+0x68/0x80\n  sock_write_iter+0x93/0x100\n  vfs_write+0x326/0x3c0\n  ksys_write+0xbd/0xf0\n  ? do_syscall_64+0x69/0x90\n  __x64_sys_write+0x19/0x30\n  do_syscall_\n---truncated---(CVE-2024-26907)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/i915/gt: Reset queue_priority_hint on parking\r\n\r\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\r\n\r\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\r\n\r\n<3>[  166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[  166.210781] Dumping ftrace buffer:\n<0>[  166.210795] ---------------------------------\n...\n<0>[  167.302811] drm_fdin-1097      2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[  167.302861] drm_fdin-1097      2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[  167.302928] drm_fdin-1097      2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[  167.302992] drm_fdin-1097      2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[  167.303044] drm_fdin-1097      2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[  167.303095] drm_fdin-1097      2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[  167.303159] kworker/-89       11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[  167.303208] kworker/-89       11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[  167.303272] kworker/-89       11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[  167.303321] kworker/-89       11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[  167.303384] kworker/-89       11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[  167.303434] kworker/-89       11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[  167.303484] kworker/-89       11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[  167.303534]   <idle>-0         5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[  167.303583] kworker/-89       11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[  167.303756] kworker/-89       11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[  167.303806] kworker/-89       11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[  167.303811] ---------------------------------\n<4>[  167.304722] ------------[ cut here ]------------\n<2>[  167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[  167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[  167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G        W          6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[  167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[  167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[  16\n---truncated---(CVE-2024-26937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\r\n\r\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\r\n\r\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\r\n\r\nThe KASAN report triggered by POC is shown below:\r\n\r\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  <TASK>\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  </TASK>\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---(CVE-2024-27398)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\r\n\r\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\r\n\r\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.(CVE-2024-27431)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\r\n\r\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2024-35943)",
+    "cves": [
+      {
+        "id": "CVE-2024-35943",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1040": {
+    "id": "openEuler-SA-2023-1040",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1040",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\nA flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.(CVE-2022-4662)",
+    "cves": [
+      {
+        "id": "CVE-2022-4662",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4662",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1717": {
+    "id": "openEuler-SA-2022-1717",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1717",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 8.2.(CVE-2022-1851)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 8.2.(CVE-2022-1898)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-1942)\r\n\r\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.(CVE-2022-1897)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 8.2.(CVE-2022-1968)\n\nUncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.(CVE-2022-1771)",
+    "cves": [
+      {
+        "id": "CVE-2022-1771",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1771",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2087": {
+    "id": "openEuler-SA-2022-2087",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2087",
+    "title": "An update for festival is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Festival offers a general framework for building speech synthesis systems as well as including examples of various modules. As a whole it offers full text to speech through a number APIs: from shell level, though a Scheme command interpreter, as a C++ library, from Java, and an Emacs interface.\r\n\r\nSecurity Fix(es):\r\n\r\nfestival_server in Centre for Speech Technology Research (CSTR) Festival, probably 2.0.95-beta and earlier, places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.(CVE-2010-3996)",
+    "cves": [
+      {
+        "id": "CVE-2010-3996",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3996",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1975": {
+    "id": "openEuler-SA-2022-1975",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1975",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.(CVE-2022-3234)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0490.(CVE-2022-3235)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0530.(CVE-2022-3256)",
+    "cves": [
+      {
+        "id": "CVE-2022-3256",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3256",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2085": {
+    "id": "openEuler-SA-2022-2085",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2085",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global moz_debug_prefix /lib/debug %global moz_debug_dir /lib/debug/ %global uname_m %(uname -m) %global symbols_file_name -.en-US.-%(uname.crashreporter-symbols.zip %global symbols_file_path /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip %global _find_debuginfo_opts -p /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip -o debugcrashreporter.list %global crashreporter_pkg_name mozilla-crashreporter--debuginfo\r\n\r\nSecurity Fix(es):\r\n\r\nxmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235)\r\n\r\nxmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.(CVE-2022-25236)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.(CVE-2022-25315)",
+    "cves": [
+      {
+        "id": "CVE-2022-25315",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2086": {
+    "id": "openEuler-SA-2022-2086",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2086",
+    "title": "An update for python-pillow is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nPillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.(CVE-2022-24303)",
+    "cves": [
+      {
+        "id": "CVE-2022-24303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24303",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1199": {
+    "id": "openEuler-SA-2024-1199",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1199",
+    "title": "An update for indent is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The indent program can be used to make code easier to read. It can also convert from one style of writing C to another. indent understands a substantial amount about the syntax of C, but it also attempts to cope with incomplete and misformed syntax.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in indent, a program for formatting C code. This issue may allow an attacker to trick a user into processing a specially crafted file to trigger a heap-based buffer overflow, causing the application to crash.(CVE-2024-0911)",
+    "cves": [
+      {
+        "id": "CVE-2024-0911",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0911",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1195": {
+    "id": "openEuler-SA-2023-1195",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1195",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL` level.(CVE-2023-27535)\r\n\r\nlibcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2023-27538)\r\n\r\nlibcurl would reuse a previously created connection even when the GSS delegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.(CVE-2023-27536)\r\n\r\ncurl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and \"telnet options\" for the server\nnegotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.(CVE-2023-27533)\r\n\r\ncurl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed\nto-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite suprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse.(CVE-2023-27534)",
+    "cves": [
+      {
+        "id": "CVE-2023-27534",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27534",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1756": {
+    "id": "openEuler-SA-2022-1756",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1756",
+    "title": "An update for libproxy is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "libproxy offers the following features:* extremely small core footprint (< 35k).* no external dependencies within libproxy core.(libproxy plugins may have dependencies).* only 3 functions in the stable external API.* dynamic adjustment to changing network topology.* a standard way of dealing with proxy settings across all scenarios.\r\n\r\nSecurity Fix(es):\r\n\r\nurl::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.(CVE-2020-25219)",
+    "cves": [
+      {
+        "id": "CVE-2020-25219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25219",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1493": {
+    "id": "openEuler-SA-2024-1493",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1493",
+    "title": "An update for atril is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)",
+    "cves": [
+      {
+        "id": "CVE-2023-51698",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1313": {
+    "id": "openEuler-SA-2023-1313",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1313",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.(CVE-2023-32067)\r\n\r\nc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)",
+    "cves": [
+      {
+        "id": "CVE-2023-32067",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1599": {
+    "id": "openEuler-SA-2023-1599",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1599",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.(CVE-2022-40090)",
+    "cves": [
+      {
+        "id": "CVE-2022-40090",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40090",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1839": {
+    "id": "openEuler-SA-2023-1839",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1839",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and  21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22067)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22081)",
+    "cves": [
+      {
+        "id": "CVE-2023-22081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1153": {
+    "id": "openEuler-SA-2021-1153",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1153",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThere is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.(CVE-2021-20197)",
+    "cves": [
+      {
+        "id": "CVE-2021-20197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20197",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1290": {
+    "id": "openEuler-SA-2024-1290",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1290",
+    "title": "An update for iSulad is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C.\r\n\r\nSecurity Fix(es):\r\n\r\n在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。(CVE-2021-33632)",
+    "cves": [
+      {
+        "id": "CVE-2021-33632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1354": {
+    "id": "openEuler-SA-2023-1354",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1354",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)",
+    "cves": [
+      {
+        "id": "CVE-2023-2650",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1551": {
+    "id": "openEuler-SA-2023-1551",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1551",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nThis affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\n\r\n(CVE-2022-25881)\r\n\r\nA OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.(CVE-2022-32212)\r\n\r\nThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).(CVE-2022-32213)\r\n\r\nThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).(CVE-2022-32214)\r\n\r\nThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).(CVE-2022-32215)\r\n\r\nThe llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.(CVE-2022-35256)\r\n\r\nA privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.(CVE-2023-23918)\r\n\r\nAn untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.(CVE-2023-23920)\r\n\r\nThe use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.\r\n\r\nReferences:\nhttps://nodejs.org/en/blog/vulnerability/june-2023-security-releases(CVE-2023-30581)\r\n\r\nThe llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).\r\n\r\nThe CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20\n(CVE-2023-30589)\r\n\r\nThe generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.\r\n\r\nReferences:\nhttps://nodejs.org/en/blog/vulnerability/june-2023-security-releases(CVE-2023-30590)\r\n\r\nThe use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\r\n\r\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\r\n\r\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.(CVE-2023-32002)\r\n\r\nThe use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\r\n\r\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\r\n\r\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.(CVE-2023-32006)\r\n\r\nA privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.(CVE-2023-32559)",
+    "cves": [
+      {
+        "id": "CVE-2023-32559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32559",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1952": {
+    "id": "openEuler-SA-2022-1952",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1952",
+    "title": "An update for ntp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "NTP is a protocol designed to synchronize the clocks of computers over a network, NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF.\r\n\r\nSecurity Fix(es):\r\n\r\nntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.(CVE-2020-15025)",
+    "cves": [
+      {
+        "id": "CVE-2020-15025",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15025",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1501": {
+    "id": "openEuler-SA-2022-1501",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1501",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.(CVE-2021-42574)",
+    "cves": [
+      {
+        "id": "CVE-2021-42574",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42574",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1521": {
+    "id": "openEuler-SA-2022-1521",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1521",
+    "title": "An update for tinyxml is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "TinyXML parses an XML document, and builds from that a Document Object Model (DOM) that can be read, modified, and saved. XML is a very structured and convenient format. All those random file formats created to store application data can all be replaced with XML. One parser for everything.\r\n\r\nSecurity Fix(es):\r\n\r\nTinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.(CVE-2021-42260)",
+    "cves": [
+      {
+        "id": "CVE-2021-42260",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42260",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1312": {
+    "id": "openEuler-SA-2021-1312",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1312",
+    "title": "An update for apache-sshd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0(CVE-2021-30129)",
+    "cves": [
+      {
+        "id": "CVE-2021-30129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1061": {
+    "id": "openEuler-SA-2023-1061",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1061",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.(CVE-2023-0288)\r\n\r\nA null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47024)",
+    "cves": [
+      {
+        "id": "CVE-2022-47024",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47024",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1103": {
+    "id": "openEuler-SA-2021-1103",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1103",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nUse after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2020-15969)\r\n\r\nHeap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2020-15999)",
+    "cves": [
+      {
+        "id": "CVE-2020-15999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1408": {
+    "id": "openEuler-SA-2023-1408",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1408",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34474)\n\nA heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34475)",
+    "cves": [
+      {
+        "id": "CVE-2023-34475",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34475",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2124": {
+    "id": "openEuler-SA-2022-2124",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2124",
+    "title": "An update for libarchive is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "is an open-source BSD-licensed C programming library that  provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution  also includes bsdtar and bsdcpio, full-featured implementations of  tar and cpio that use .\r\n\r\nSecurity Fix(es):\r\n\r\nIn libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"(CVE-2022-36227)",
+    "cves": [
+      {
+        "id": "CVE-2022-36227",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1474": {
+    "id": "openEuler-SA-2023-1474",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1474",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.(CVE-2022-1050)\r\n\r\nA flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.(CVE-2023-0664)\r\n\r\nA flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.(CVE-2023-2861)",
+    "cves": [
+      {
+        "id": "CVE-2023-2861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1307": {
+    "id": "openEuler-SA-2024-1307",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1307",
+    "title": "An update for iSulad is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C.\r\n\r\nSecurity Fix(es):\r\n\r\n在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。(CVE-2021-33632)",
+    "cves": [
+      {
+        "id": "CVE-2021-33632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1156": {
+    "id": "openEuler-SA-2024-1156",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1156",
+    "title": "An update for zbar is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "ZBar is an open source software suite for reading bar codes from various sources, such as video streams, image files and raw intensity sensors. It supports many popular symbologies (types of bar codes) including EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 39, Interleaved 2 of 5 and QR Code.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40889)\r\n\r\nA stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40890)",
+    "cves": [
+      {
+        "id": "CVE-2023-40890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40890",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1235": {
+    "id": "openEuler-SA-2021-1235",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1235",
+    "title": "An update for libX11 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Core X11 protocol client library.\n\nSecurity Fix(es):\n\nLookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.(CVE-2021-31535)",
+    "cves": [
+      {
+        "id": "CVE-2021-31535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31535",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1289": {
+    "id": "openEuler-SA-2023-1289",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1289",
+    "title": "An update for redis is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-28856)",
+    "cves": [
+      {
+        "id": "CVE-2023-28856",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28856",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1335": {
+    "id": "openEuler-SA-2024-1335",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1335",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1572": {
+    "id": "openEuler-SA-2023-1572",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1572",
+    "title": "An update for json-c is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted strings back into the C representation of JSON objects.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution.(CVE-2021-32292)",
+    "cves": [
+      {
+        "id": "CVE-2021-32292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32292",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1011": {
+    "id": "openEuler-SA-2024-1011",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1011",
+    "title": "An update for python-twisted is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.(CVE-2023-46137)",
+    "cves": [
+      {
+        "id": "CVE-2023-46137",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1921": {
+    "id": "openEuler-SA-2022-1921",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1921",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules,classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.This package Provides python version 3.\n\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(\"text\"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.(CVE-2020-10735)",
+    "cves": [
+      {
+        "id": "CVE-2020-10735",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10735",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1087": {
+    "id": "openEuler-SA-2024-1087",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1087",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer (\"skb\"). This flaw allows a local user to cause a denial of service condition or potential code execution.(CVE-2023-51779)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.(CVE-2023-51780)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.(CVE-2023-51781)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.(CVE-2023-51782)\r\n\r\nAn out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121)",
+    "cves": [
+      {
+        "id": "CVE-2023-6121",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1957": {
+    "id": "openEuler-SA-2022-1957",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1957",
+    "title": "An update for log4j is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.(CVE-2021-45046)\r\n\r\nApache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.(CVE-2021-45105)\r\n\r\nApache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.(CVE-2021-44832)",
+    "cves": [
+      {
+        "id": "CVE-2021-44832",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1246": {
+    "id": "openEuler-SA-2023-1246",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1246",
+    "title": "An update for freetype is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FreeType is written in C, designed to be small,efficient, highly customizable, and  portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c.(CVE-2023-2004)",
+    "cves": [
+      {
+        "id": "CVE-2023-2004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2004",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1807": {
+    "id": "openEuler-SA-2022-1807",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1807",
+    "title": "An update for libtar is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Libtar is a C library for manipulating POSIX tar files. It handles adding and extracting files to/from a tar archive. Requires gcc, make, and zlib.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.(CVE-2021-33643)\r\n\r\nAn attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longname, causing an out-of-bounds read.(CVE-2021-33644)\r\n\r\nThe th_read() function doesn’t free a variable t->th_buf.gnu_longlink after allocating memory, which may cause a memory leak.(CVE-2021-33645)\r\n\r\nThe th_read() function doesn’t free a variable t->th_buf.gnu_longname after allocating memory, which may cause a memory leak.(CVE-2021-33646)",
+    "cves": [
+      {
+        "id": "CVE-2021-33646",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33646",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1682": {
+    "id": "openEuler-SA-2024-1682",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1682",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume\r\n\r\nIn current code, when a PCI error state pci_channel_io_normal is detectd,\nit will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI\ndriver will continue the execution of PCI resume callback report_resume by\npci_walk_bridge, and the callback will go into amdgpu_pci_resume\nfinally, where write lock is releasd unconditionally without acquiring\nsuch lock first. In this case, a deadlock will happen when other threads\nstart to acquire the read lock.\r\n\r\nTo fix this, add a member in amdgpu_device strucutre to cache\npci_channel_state, and only continue the execution in amdgpu_pci_resume\nwhen it's pci_channel_io_frozen.(CVE-2021-47421)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nptp: Fix possible memory leak in ptp_clock_register()\r\n\r\nI got memory leak as follows when doing fault injection test:\r\n\r\nunreferenced object 0xffff88800906c618 (size 8):\n  comm \"i2c-idt82p33931\", pid 4421, jiffies 4294948083 (age 13.188s)\n  hex dump (first 8 bytes):\n    70 74 70 30 00 00 00 00                          ptp0....\n  backtrace:\n    [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0\n    [<0000000079f6e2ff>] kvasprintf+0xb5/0x150\n    [<0000000026aae54f>] kvasprintf_const+0x60/0x190\n    [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150\n    [<000000004e35abdd>] dev_set_name+0xc0/0x100\n    [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]\n    [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]\r\n\r\nWhen posix_clock_register() returns an error, the name allocated\nin dev_set_name() will be leaked, the put_device() should be used\nto give up the device reference, then the name will be freed in\nkobject_cleanup() and other memory will be freed in ptp_clock_release().(CVE-2021-47455)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: enetc: deny offload of tc-based TSN features on VF interfaces\r\n\r\nTSN features on the ENETC (taprio, cbs, gate, police) are configured\nthrough a mix of command BD ring messages and port registers:\nenetc_port_rd(), enetc_port_wr().\r\n\r\nPort registers are a region of the ENETC memory map which are only\naccessible from the PCIe Physical Function. They are not accessible from\nthe Virtual Functions.\r\n\r\nMoreover, attempting to access these registers crashes the kernel:\r\n\r\n$ echo 1 > /sys/bus/pci/devices/0000\\:00\\:00.0/sriov_numvfs\npci 0000:00:01.0: [1957:ef00] type 00 class 0x020001\nfsl_enetc_vf 0000:00:01.0: Adding to iommu group 15\nfsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)\nfsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0\n$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \\\n\tqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \\\n\tsched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2\nUnable to handle kernel paging request at virtual address ffff800009551a08\nInternal error: Oops: 96000007 [#1] PREEMPT SMP\npc : enetc_setup_tc_taprio+0x170/0x47c\nlr : enetc_setup_tc_taprio+0x16c/0x47c\nCall trace:\n enetc_setup_tc_taprio+0x170/0x47c\n enetc_setup_tc+0x38/0x2dc\n taprio_change+0x43c/0x970\n taprio_init+0x188/0x1e0\n qdisc_create+0x114/0x470\n tc_modify_qdisc+0x1fc/0x6c0\n rtnetlink_rcv_msg+0x12c/0x390\r\n\r\nSplit enetc_setup_tc() into separate functions for the PF and for the\nVF drivers. Also remove enetc_qos.o from being included into\nenetc-vf.ko, since it serves absolutely no purpose there.(CVE-2022-48645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\r\n\r\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.(CVE-2023-52650)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNTB: fix possible name leak in ntb_register_device()\r\n\r\nIf device_register() fails in ntb_register_device(), the device name\nallocated by dev_set_name() should be freed. As per the comment in\ndevice_register(), callers should use put_device() to give up the\nreference in the error path. So fix this by calling put_device() in the\nerror path so that the name can be freed in kobject_cleanup().\r\n\r\nAs a result of this, put_device() in the error path of\nntb_register_device() is removed and the actual error is returned.\r\n\r\n[mani: reworded commit message](CVE-2023-52652)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: fix a memleak in gss_import_v2_context\r\n\r\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\r\n\r\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.(CVE-2023-52653)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: drop any code related to SCM_RIGHTS\r\n\r\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.(CVE-2023-52656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: eliminate double free in error handling logic\r\n\r\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\r\n\r\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\r\n\r\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.(CVE-2023-52664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()\r\n\r\nEnsure the value passed to scarlett2_mixer_ctl_put() is between 0 and\nSCARLETT2_MIXER_MAX_VALUE so we don't attempt to access outside\nscarlett2_mixer_values[].(CVE-2023-52674)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: LPIT: Avoid u32 multiplication overflow\r\n\r\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\r\n\r\nChange multiplication to mul_u32_u32().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52683)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncalipso: fix memory leak in netlbl_calipso_add_pass()\r\n\r\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n  comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n  hex dump (first 32 bytes):\n    00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<...>] kmalloc include/linux/slab.h:552 [inline]\n    [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n    [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n    [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n    [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n    [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n    [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n    [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n    [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n    [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n    [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n    [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n    [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n    [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n    [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n    [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n    [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n    [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\r\n\r\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\r\n\r\n[PM: merged via the LSM tree at Jakub Kicinski request](CVE-2023-52698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add validity check for db_maxag and db_agpref\r\n\r\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\r\n\r\nThe following is related bug reported by Syzbot:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\r\n\r\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.(CVE-2023-52804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diAlloc\r\n\r\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.(CVE-2023-52805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\r\n\r\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.(CVE-2023-52809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\r\n\r\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\r\n\r\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636]  <TASK>\n[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002]  full_proxy_read+0x5c/0x80\n[4005007.703011]  vfs_read+0x9f/0x1a0\n[4005007.703019]  ksys_read+0x67/0xe0\n[4005007.703023]  __x64_sys_read+0x19/0x20\n[4005007.703028]  do_syscall_64+0x5c/0xc0\n[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052]  ? irqentry_exit+0x19/0x30\n[4005007.703057]  ? exc_page_fault+0x89/0x160\n[4005007.703062]  ? asm_exc_page_fault+0x8/0x30\n[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105]  </TASK>\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---(CVE-2023-52817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/core: Bail out early if the request AUX area is out of bound\r\n\r\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)\r\n\r\nand it reveals a WARNING with __alloc_pages():\r\n\r\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\r\n\r\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\r\n\r\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)(CVE-2023-52835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\r\n\r\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.(CVE-2023-52840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: vidtv: psi: Add check for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.(CVE-2023-52844)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\r\n\r\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\r\n\r\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.(CVE-2023-52845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhsr: Prevent use after free in prp_create_tagged_frame()\r\n\r\nThe prp_fill_rct() function can fail.  In that situation, it frees the\nskb and returns NULL.  Meanwhile on the success path, it returns the\noriginal skb.  So it's straight forward to fix bug by using the returned\nvalue.(CVE-2023-52846)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: bttv: fix use after free error due to btv->timeout timer\r\n\r\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\r\n\r\nThis bug is found by static analysis, it may be false positive.\r\n\r\nFix it by adding del_timer_sync invoking to the remove function.\r\n\r\ncpu0                cpu1\n                  bttv_probe\n                    ->timer_setup\n                      ->bttv_set_dma\n                        ->mod_timer;\nbttv_remove\n  ->kfree(btv);\n                  ->bttv_irq_timeout\n                    ->USE btv(CVE-2023-52847)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npadata: Fix refcnt handling in padata_free_shell()\r\n\r\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\r\n\r\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\r\n\r\n```c\nstruct request {\n    struct padata_priv padata;\n    struct completion *done;\n};\r\n\r\nvoid parallel(struct padata_priv *padata) {\n    do_something();\n}\r\n\r\nvoid serial(struct padata_priv *padata) {\n    struct request *request = container_of(padata,\n    \t\t\t\tstruct request,\n\t\t\t\tpadata);\n    complete(request->done);\n}\r\n\r\nvoid user_function() {\n    DECLARE_COMPLETION(done)\n    padata->parallel = parallel;\n    padata->serial = serial;\n    padata_do_parallel();\n    wait_for_completion(&done);\n    padata_free_shell();\n}\n```\r\n\r\nIn the corresponding padata.c file, there's the following code:\r\n\r\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n    ...\n    cnt = 0;\r\n\r\n    while (!list_empty(&local_list)) {\n        ...\n        padata->serial(padata);\n        cnt++;\n    }\r\n\r\n    local_bh_enable();\r\n\r\n    if (refcount_sub_and_test(cnt, &pd->refcnt))\n        padata_free_pd(pd);\n}\n```\r\n\r\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\r\n\r\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.(CVE-2023-52854)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52858)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\r\n\r\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.(CVE-2023-52863)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: possible buffer overflow\r\n\r\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.(CVE-2023-52867)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nthermal: core: prevent potential string overflow\r\n\r\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX.  If it's too high then these sprintf()s will overflow.(CVE-2023-52868)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/platform: Add check for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.(CVE-2023-52869)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52876)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Have trace_event_file have ref counters\r\n\r\nThe following can crash the kernel:\r\n\r\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\r\n\r\nThe above commands:\r\n\r\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\r\n\r\nThe above causes a crash!\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\r\n\r\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\r\n\r\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\r\n\r\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.(CVE-2023-52879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout\r\n\r\nWhile the rhashtable set gc runs asynchronously, a race allows it to\ncollect elements from anonymous sets with timeouts while it is being\nreleased from the commit path.\r\n\r\nMingi Cho originally reported this issue in a different path in 6.1.x\nwith a pipapo set with low timeouts which is not possible upstream since\n7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set\nelement timeout\").\r\n\r\nFix this by setting on the dead flag for anonymous sets to skip async gc\nin this case.\r\n\r\nAccording to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on\ntransaction abort\"), Florian plans to accelerate abort path by releasing\nobjects via workqueue, therefore, this sets on the dead flag for abort\npath too.(CVE-2024-26643)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwireguard: netlink: access device through ctx instead of peer\r\n\r\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.(CVE-2024-26950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: prevent kernel bug at submit_bh_wbc()\r\n\r\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently.  If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\r\n\r\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.(CVE-2024-26955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/zcrypt: fix reference counting on zcrypt card objects\r\n\r\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\r\n\r\nThis is an example of the slab message:\r\n\r\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8\n    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---(CVE-2024-26957)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: fix UAF in direct writes\r\n\r\nIn production we have been hitting the following warning consistently\r\n\r\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\r\n\r\nThis is because we're completing the nfs_direct_request twice in a row.\r\n\r\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\r\n\r\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\r\n\r\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\r\n\r\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\r\n\r\nnfs_commit_begin();\nnfs_commit_end();\r\n\r\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\r\n\r\nFix this by using the same pattern for the commit requests.\r\n\r\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.(CVE-2024-26958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\r\n\r\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\r\n\r\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\r\n\r\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\r\n\r\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2024-26961)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\r\n\r\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n  comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n  backtrace:\n   kmemdup+0x32/0x70\n   __fscrypt_encrypt_symlink+0xed/0x1c0\n   ubifs_symlink+0x210/0x300 [ubifs]\n   vfs_symlink+0x216/0x360\n   do_symlinkat+0x11a/0x190\n   do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n    because ubifs_evict_inode() will do same processes for good\n    symlink inode and bad symlink inode, for inode->i_nlink checking\n    is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.(CVE-2024-26972)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\r\n\r\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\r\n\r\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\r\n\r\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\r\n\r\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\r\n\r\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\r\n\r\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\r\n\r\n        __kvm_vcpu_wake_up(vcpu);\r\n\r\n        mmput(mm);\r\n\r\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\r\n\r\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\r\n\r\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---(CVE-2024-26976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSquashfs: check the inode number is not the invalid value of zero\r\n\r\nSyskiller has produced an out of bounds access in fill_meta_index().\r\n\r\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\r\n\r\nThe reason this causes the out of bounds access is due to following\nsequence of events:\r\n\r\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\r\n\r\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn't been, an out of bounds access is performed.\r\n\r\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\r\n\r\n[phillip@squashfs.org.uk: whitespace fix]\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk(CVE-2024-26982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\r\n\r\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path.  If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called).  As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\r\n\r\nFix the leak by adding an explicit kobject_put() call when kn is NULL.(CVE-2024-26993)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspeakup: Avoid crash on very long word\r\n\r\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.(CVE-2024-26994)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\r\n\r\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\r\n\r\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\r\n\r\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\r\n\r\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\r\n\r\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.(CVE-2024-26999)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: mxs-auart: add spinlock around changing cts state\r\n\r\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\r\n\r\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)(CVE-2024-27000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: nv04: Fix out of bounds access\r\n\r\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\r\n\r\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: Fix mirred deadlock on device recursion\r\n\r\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\r\n\r\n[..... other info removed for brevity....]\n[   82.890906]\n[   82.890906] ============================================\n[   82.890906] WARNING: possible recursive locking detected\n[   82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G        W\n[   82.890906] --------------------------------------------\n[   82.890906] ping/418 is trying to acquire lock:\n[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[   82.890906]\n[   82.890906] but task is already holding lock:\n[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[   82.890906]\n[   82.890906] other info that might help us debug this:\n[   82.890906]  Possible unsafe locking scenario:\n[   82.890906]\n[   82.890906]        CPU0\n[   82.890906]        ----\n[   82.890906]   lock(&sch->q.lock);\n[   82.890906]   lock(&sch->q.lock);\n[   82.890906]\n[   82.890906]  *** DEADLOCK ***\n[   82.890906]\n[..... other info removed for brevity....]\r\n\r\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth0\r\n\r\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth1\r\n\r\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth0\r\n\r\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.(CVE-2024-27010)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: fix memleak in map from abort path\r\n\r\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\r\n\r\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\r\n\r\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS:  0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967]  <TASK>\n[ 6170.287973]  ? __warn+0x9f/0x1a0\n[ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092]  ? report_bug+0x1b1/0x1e0\n[ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092]  ? report_bug+0x1b1/0x1e0\n[ 6170.288104]  ? handle_bug+0x3c/0x70\n[ 6170.288112]  ? exc_invalid_op+0x17/0x40\n[ 6170.288120]  ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483]  nf_tables_trans_destroy_work+0x588/0x590 [nf_tables](CVE-2024-27011)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/rds: fix WARNING in rds_conn_connect_if_down\r\n\r\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().(CVE-2024-27024)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix to cover normal cluster write with cp_rwsem\r\n\r\nWhen we overwrite compressed cluster w/ normal cluster, we should\nnot unlock cp_rwsem during f2fs_write_raw_pages(), otherwise data\nwill be corrupted if partial blocks were persisted before CP & SPOR,\ndue to cluster metadata wasn't updated atomically.(CVE-2024-27034)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\r\n\r\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.(CVE-2024-27035)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: zynq: Prevent null pointer dereference caused by kmalloc failure\r\n\r\nThe kmalloc() in zynq_clk_setup() will return null if the\nphysical memory has run out. As a result, if we use snprintf()\nto write data to the null address, the null pointer dereference\nbug will happen.\r\n\r\nThis patch uses a stack variable to replace the kmalloc().(CVE-2024-27037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\r\n\r\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10(CVE-2024-27045)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\r\n\r\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\r\n\r\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).(CVE-2024-27059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: usbtv: Remove useless locks in usbtv_video_free()\r\n\r\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\r\n\r\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\r\n\r\n\n[hverkuil: fix minor spelling mistake in log message](CVE-2024-27072)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ttpci: fix two memleaks in budget_av_attach\r\n\r\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.(CVE-2024-27073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: avoid stack overflow warnings with clang\r\n\r\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\r\n\r\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\r\n\r\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.(CVE-2024-27075)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: fix some memleaks in gssx_dec_option_array\r\n\r\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.(CVE-2024-27388)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: inode: Only d_invalidate() is needed\r\n\r\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\r\n\r\n  WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\r\n\r\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\r\n\r\n---(CVE-2024-27389)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_flow_offload: reset dst in route object after setting up flow\r\n\r\ndst is transferred to the flow object, route object does not own it\nanymore.  Reset dst in route object, otherwise if flow_offload_add()\nfails, error path releases dst twice, leading to a refcount underflow.(CVE-2024-27403)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Fixed overflow check in mi_enum_attr()(CVE-2024-27407)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Fix data-races around sysctl_net_busy_read\r\n\r\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.(CVE-2024-27419)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27426)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27427)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27428)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.(CVE-2024-35801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm snapshot: fix lockup in dm_exception_table_exit\r\n\r\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.(CVE-2024-35805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\r\n\r\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.(CVE-2024-35806)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\r\n\r\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.(CVE-2024-35815)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\r\n\r\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.(CVE-2024-35817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nLoongArch: Define the __io_aw() hook as mmiowb()\r\n\r\nCommit fb24ea52f78e0d595852e (\"drivers: Remove explicit invocations of\nmmiowb()\") remove all mmiowb() in drivers, but it says:\r\n\r\n\"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with\nspin_unlock(). However, pairing each mmiowb() removal in this patch with\nthe corresponding call to spin_unlock() is not at all trivial, so there\nis a small chance that this change may regress any drivers incorrectly\nrelying on mmiowb() to order MMIO writes between CPUs using lock-free\nsynchronisation.\"\r\n\r\nThe mmio in radeon_ring_commit() is protected by a mutex rather than a\nspinlock, but in the mutex fastpath it behaves similar to spinlock. We\ncan add mmiowb() calls in the radeon driver but the maintainer says he\ndoesn't like such a workaround, and radeon is not the only example of\nmutex protected mmio.\r\n\r\nSo we should extend the mmiowb tracking system from spinlock to mutex,\nand maybe other locking primitives. This is not easy and error prone, so\nwe solve it in the architectural code, by simply defining the __io_aw()\nhook as mmiowb(). And we no longer need to override queued_spin_unlock()\nso use the generic definition.\r\n\r\nWithout this, we get such an error when run 'glxgears' on weak ordering\narchitectures such as LoongArch:\r\n\r\nradeon 0000:04:00.0: ring 0 stalled for more than 10324msec\nradeon 0000:04:00.0: ring 3 stalled for more than 10240msec\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)(CVE-2024-35818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: fix a double-free in arfs_create_groups\r\n\r\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.(CVE-2024-35835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\r\n\r\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\r\n\r\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\r\n\r\narp_process\n  neigh_update\n    skb = __skb_dequeue(&neigh->arp_queue)\n      neigh_resolve_output(..., skb)\n        ...\n          br_nf_dev_xmit\n            br_nf_pre_routing_finish_bridge_slow\n              skb->dev = nf_bridge->physindev\n              br_handle_frame_finish\r\n\r\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.(CVE-2024-35839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix reserve_cblocks counting error when out of space\r\n\r\nWhen a file only needs one direct_node, performing the following\noperations will cause the file to be unrepairable:\r\n\r\nunisoc # ./f2fs_io compress test.apk\nunisoc #df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.2M 100% /data\r\n\r\nunisoc # ./f2fs_io release_cblocks test.apk\n924\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 4.8M 100% /data\r\n\r\nunisoc # dd if=/dev/random of=file4 bs=1M count=3\n3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\r\n\r\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\r\n\r\nadb reboot\nunisoc # df -h  | grep dm-48\n/dev/block/dm-48             112G 112G   11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n0\r\n\r\nThis is because the file has only one direct_node. After returning\nto -ENOSPC, reserved_blocks += ret will not be executed. As a result,\nthe reserved_blocks at this time is still 0, which is not the real\nnumber of reserved blocks. Therefore, fsck cannot be set to repair\nthe file.\r\n\r\nAfter this patch, the fsck flag will be set to fix this problem.\r\n\r\nunisoc # df -h | grep dm-48\n/dev/block/dm-48             112G 112G  1.8M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\r\n\r\nadb reboot then fsck will be executed\nunisoc # df -h  | grep dm-48\n/dev/block/dm-48             112G 112G   11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n924(CVE-2024-35844)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\neeprom: at24: fix memory corruption race condition\r\n\r\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\r\n\r\nMove the failure point before registering the nvmem device.(CVE-2024-35848)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix infinite recursion in fib6_dump_done().\r\n\r\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\r\n\r\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\r\n\r\n  12:01:34 executing program 3:\n  r0 = socket$nl_route(0x10, 0x3, 0x0)\n  sendmsg$nl_route(r0, ... snip ...)\n  recvmmsg(r0, ... snip ...) (fail_nth: 8)\r\n\r\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\r\n\r\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\r\n\r\nTo avoid the issue, let's set the destructor after kzalloc().\r\n\r\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\r\n\r\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n </#DF>\n <TASK>\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---(CVE-2024-35886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\r\n\r\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.(CVE-2024-35897)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\r\n\r\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.(CVE-2024-35898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbmon: prevent division by zero in fb_videomode_from_videomode()\r\n\r\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\r\n\r\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\r\n\r\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.(CVE-2024-35930)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\r\n\r\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\r\n\r\n- at first the search key is set up to look for a chunk tree item, with\n  offset -1, this is an inexact search and the key->offset will contain\n  the correct offset upon a successful search, a valid chunk tree item\n  cannot have an offset -1\r\n\r\n- after first successful search, the found_key corresponds to a chunk\n  item, the offset is decremented by 1 before the next loop, it's\n  impossible to find a chunk item there due to alignment and size\n  constraints(CVE-2024-35936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/zone: Add a null pointer check to the psz_kmsg_read\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2024-35940)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\r\n\r\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\r\n\r\nMake sure to validate setsockopt() @optlen parameter.\r\n\r\n[1]\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\r\n\r\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n </TASK>\r\n\r\nAllocated by task 7549:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3966 [inline]\n  __kmalloc+0x233/0x4a0 mm/slub.c:3979\n  kmalloc include/linux/slab.h:632 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\r\n\r\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n  set_page_owner include/linux/page_owner.h:31 [inline]\n  post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n  prep_new_page mm/page_alloc.c:\n---truncated---(CVE-2024-35976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: CPPC: Use access_width over bit_width for system memory accesses\r\n\r\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\r\n\r\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n  dump_backtrace+0x0/0x1e0\n  show_stack+0x24/0x30\n  dump_stack_lvl+0x8c/0xb8\n  dump_stack+0x18/0x34\n  panic+0x16c/0x384\n  add_taint+0x0/0xc0\n  arm64_serror_panic+0x7c/0x90\n  arm64_is_fatal_ras_serror+0x34/0xa4\n  do_serror+0x50/0x6c\n  el1h_64_error_handler+0x40/0x74\n  el1h_64_error+0x7c/0x80\n  cppc_get_perf_caps+0xec/0x410\n  cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n  cpufreq_online+0x2dc/0xa30\n  cpufreq_add_dev+0xc0/0xd4\n  subsys_interface_register+0x134/0x14c\n  cpufreq_register_driver+0x1b0/0x354\n  cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n  do_one_initcall+0x50/0x250\n  do_init_module+0x60/0x27c\n  load_module+0x2300/0x2570\n  __do_sys_finit_module+0xa8/0x114\n  __arm64_sys_finit_module+0x2c/0x3c\n  invoke_syscall+0x78/0x100\n  el0_svc_common.constprop.0+0x180/0x1a0\n  do_el0_svc+0x84/0xa0\n  el0_svc+0x2c/0xc0\n  el0t_64_sync_handler+0xa4/0x12c\n  el0t_64_sync+0x1a4/0x1a8\r\n\r\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\r\n\r\nIf access_width is not set, then fall back to using bit_width.\r\n\r\n[ rjw: Subject and changelog edits, comment adjustments ](CVE-2024-35995)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\r\n\r\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\r\n\r\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\r\n\r\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\r\n\r\nDelete this unnecessary flag.(CVE-2024-35997)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\r\n\r\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\r\n\r\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\r\n\r\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-36006)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv4: check for NULL idev in ip_route_use_hint()\r\n\r\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\r\n\r\nIt appears the bug exists in latest trees.\r\n\r\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\r\n\r\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS:  00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n  ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n  ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n  ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n  ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n  ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n  __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n  __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n  __netif_receive_skb_list net/core/dev.c:5672 [inline]\n  netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n  netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n  xdp_recv_frames net/bpf/test_run.c:257 [inline]\n  xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n  bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n  bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n  bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n  __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n  __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n  __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n  __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199(CVE-2024-36008)",
+    "cves": [
+      {
+        "id": "CVE-2023-52868",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-35801",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36008",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1122": {
+    "id": "openEuler-SA-2023-1122",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1122",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\ncurl supports \"chained\" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a \"malloc bomb\", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.(CVE-2023-23916)",
+    "cves": [
+      {
+        "id": "CVE-2023-23916",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23916",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1856": {
+    "id": "openEuler-SA-2023-1856",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1856",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \\ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.   %package -n python3-pillow Summary:        Python 3 image processing library  Provides:       python3-imaging = -\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.(CVE-2023-44271)",
+    "cves": [
+      {
+        "id": "CVE-2023-44271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44271",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1737": {
+    "id": "openEuler-SA-2023-1737",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1737",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22036)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2049": {
+    "id": "openEuler-SA-2022-2049",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2049",
+    "title": "An update for swtpm is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "TPM emulator built on libtpms providing TPM functionality for QEMU VMs\r\n\r\nSecurity Fix(es):\r\n\r\nswtpm is a libtpms-based TPM emulator with socket, character device, and Linux CUSE interface. Versions prior to 0.5.3, 0.6.2, and 0.7.1 are vulnerable to out-of-bounds read. A specially crafted header of swtpm's state, where the blobheader's hdrsize indicator has an invalid value, may cause an out-of-bounds access when the byte array representing the state of the TPM is accessed. This will likely crash swtpm or prevent it from starting since the state cannot be understood. Users should upgrade to swtpm v0.5.3, v0.6.2, or v0.7.1 to receive a patch. There are currently no known workarounds.(CVE-2022-23645)",
+    "cves": [
+      {
+        "id": "CVE-2022-23645",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23645",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1252": {
+    "id": "openEuler-SA-2024-1252",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1252",
+    "title": "An update for json-path is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Java DSL for reading and testing JSON documents.\r\n\r\nSecurity Fix(es):\r\n\r\njson-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.(CVE-2023-51074)",
+    "cves": [
+      {
+        "id": "CVE-2023-51074",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51074",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1481": {
+    "id": "openEuler-SA-2023-1481",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1481",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\r\n\r\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3817)",
+    "cves": [
+      {
+        "id": "CVE-2023-3817",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1271": {
+    "id": "openEuler-SA-2023-1271",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1271",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.(CVE-2022-31629)\r\n\r\nIn PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress \"quines\" gzip files, resulting in an infinite loop.(CVE-2022-31628)",
+    "cves": [
+      {
+        "id": "CVE-2022-31628",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31628",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1175": {
+    "id": "openEuler-SA-2023-1175",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1175",
+    "title": "An update for epiphany is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Epiphany is the web browser for the GNOME desktop. Its goal is to be simple and easy to use. Epiphany ties together many GNOME components in order to let you focus on the Web content, instead of the browser application.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.(CVE-2023-26081)",
+    "cves": [
+      {
+        "id": "CVE-2023-26081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26081",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2027": {
+    "id": "openEuler-SA-2022-2027",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2027",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239842288References: Upstream kernel(CVE-2022-20423)",
+    "cves": [
+      {
+        "id": "CVE-2022-20423",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20423",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1546": {
+    "id": "openEuler-SA-2022-1546",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1546",
+    "title": "An update for nodejs-jison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "A parser generator with Bison's API.\r\n\r\nSecurity Fix(es):\r\n\r\nInsufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.(CVE-2020-8178)",
+    "cves": [
+      {
+        "id": "CVE-2020-8178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8178",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1442": {
+    "id": "openEuler-SA-2024-1442",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1442",
+    "title": "An update for libgsasl is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The library includes support for the SASL framework and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, and NTLM mechanisms.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469)",
+    "cves": [
+      {
+        "id": "CVE-2022-2469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1557": {
+    "id": "openEuler-SA-2023-1557",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1557",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.\r\n\r For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197)",
+    "cves": [
+      {
+        "id": "CVE-2023-20197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1298": {
+    "id": "openEuler-SA-2023-1298",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1298",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.(CVE-2022-1050)",
+    "cves": [
+      {
+        "id": "CVE-2022-1050",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1050",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1884": {
+    "id": "openEuler-SA-2023-1884",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1884",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48231)\r\n\r\nVim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48233)\r\n\r\nVim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48234)\r\n\r\nVim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48235)\r\n\r\nVim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48236)\r\n\r\nVim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48237)\r\n\r\nVim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.(CVE-2023-48706)",
+    "cves": [
+      {
+        "id": "CVE-2023-48706",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1084": {
+    "id": "openEuler-SA-2023-1084",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1084",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.(CVE-2022-3707)\r\n\r\nA NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.(CVE-2023-0394)\r\n\r\nA use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem leading to a denial-of-service problem. \r\n\r\nReference:\nhttps://lore.kernel.org/all/20221018203258.2793282-1-edumazet@google.com/\r\n\r\n\nCrash:\n    BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066\n    Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027\n    \n    CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0\n    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\n    Call Trace:\n    <TASK>\n    __dump_stack lib/dump_stack.c:88 [inline]\n    dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n    print_address_description mm/kasan/report.c:317 [inline]\n    print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n    kasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n    __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066\n    __tcf_qdisc_find net/sched/cls_api.c:1051 [inline]\n    tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018\n    rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081\n    netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501\n    netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n    netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345\n    netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921\n    sock_sendmsg_nosec net/socket.c:714 [inline]\n    sock_sendmsg+0xcf/0x120 net/socket.c:734\n    ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482\n    ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n    __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n    do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    entry_SYSCALL_64_after_hwframe+0x63/0xcd\n    RIP: 0033:0x7f5efaa89279(CVE-2023-0590)",
+    "cves": [
+      {
+        "id": "CVE-2023-0590",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0590",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1552": {
+    "id": "openEuler-SA-2022-1552",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1552",
+    "title": "An update for mysql5 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. \r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2020-14760)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2019-2910)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2019-2924)\r\n\r\nVulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Log). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2019-2741)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.6.45 and prior and 5.7.27 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2019-2922)\r\n\r\nVulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Plug-in). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).(CVE-2019-2791)\r\n\r\nVulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.7.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.4 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).(CVE-2019-2731)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 5.7.28 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2020-2790)\r\n\r\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2020-2922)\r\n\r\nVulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Plug-in). Supported versions that are affected are 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2019-2566)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 5.7.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2014)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling). Supported versions that are affected are 5.7.28 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2020-2806)",
+    "cves": [
+      {
+        "id": "CVE-2020-2806",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2806",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1820": {
+    "id": "openEuler-SA-2023-1820",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1820",
+    "title": "An update for GraphicsMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.(CVE-2020-21679)",
+    "cves": [
+      {
+        "id": "CVE-2020-21679",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21679",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1568": {
+    "id": "openEuler-SA-2024-1568",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1568",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niavf: free q_vectors before queues in iavf_disable_vf\r\n\r\niavf_free_queues() clears adapter->num_active_queues, which\niavf_free_q_vectors() relies on, so swap the order of these two function\ncalls in iavf_disable_vf(). This resolves a panic encountered when the\ninterface is disabled and then later brought up again after PF\ncommunication is restored.(CVE-2021-47201)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()\r\n\r\nWhen parsing the txq list in lpfc_drain_txq(), the driver attempts to pass\nthe requests to the adapter. If such an attempt fails, a local \"fail_msg\"\nstring is set and a log message output.  The job is then added to a\ncompletions list for cancellation.\r\n\r\nProcessing of any further jobs from the txq list continues, but since\n\"fail_msg\" remains set, jobs are added to the completions list regardless\nof whether a wqe was passed to the adapter.  If successfully added to\ntxcmplq, jobs are added to both lists resulting in list corruption.\r\n\r\nFix by clearing the fail_msg string after adding a job to the completions\nlist. This stops the subsequent jobs from being added to the completions\nlist unless they had an appropriate failure.(CVE-2021-47203)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: advansys: Fix kernel pointer leak\r\n\r\nPointers should be printed with %p or %px rather than cast to 'unsigned\nlong' and printed with %lx.\r\n\r\nChange %lx to %p to print the hashed pointer.(CVE-2021-47216)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails\r\n\r\nCheck for a valid hv_vp_index array prior to derefencing hv_vp_index when\nsetting Hyper-V's TSC change callback.  If Hyper-V setup failed in\nhyperv_init(), the kernel will still report that it's running under\nHyper-V, but will have silently disabled nearly all functionality.\r\n\r\n  BUG: kernel NULL pointer dereference, address: 0000000000000010\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP\n  CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:set_hv_tscchange_cb+0x15/0xa0\n  Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08\n  ...\n  Call Trace:\n   kvm_arch_init+0x17c/0x280\n   kvm_init+0x31/0x330\n   vmx_init+0xba/0x13a\n   do_one_initcall+0x41/0x1c0\n   kernel_init_freeable+0x1f2/0x23b\n   kernel_init+0x16/0x120\n   ret_from_fork+0x22/0x30(CVE-2021-47217)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1>\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet's remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page->mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)",
+    "cves": [
+      {
+        "id": "CVE-2024-26641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26641",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1616": {
+    "id": "openEuler-SA-2023-1616",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1616",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2023-3865)\r\n\r\n(CVE-2023-3866)\r\n\r\nA use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4132)\r\n\r\nA flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.(CVE-2023-4273)",
+    "cves": [
+      {
+        "id": "CVE-2023-4273",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1956": {
+    "id": "openEuler-SA-2023-1956",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1956",
+    "title": "An update for freeradius is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nIn freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.(CVE-2022-41859)",
+    "cves": [
+      {
+        "id": "CVE-2022-41859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41859",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1639": {
+    "id": "openEuler-SA-2023-1639",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1639",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.(CVE-2022-48566)",
+    "cves": [
+      {
+        "id": "CVE-2022-48566",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1908": {
+    "id": "openEuler-SA-2022-1908",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1908",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen curl is used to retrieve and parse cookies from an HTTP(S) server, it accepts cookies using control codes (byte values below 32). When cookies that contain such control codes are later sent back to an HTTP(S) server, it might make the server return a 400 response. Effectively allowing a \"sister site\" to deny service to siblings.\r\n\r\nReference:\r\n\r\nhttps://curl.se/docs/CVE-2022-35252.html(CVE-2022-35252)",
+    "cves": [
+      {
+        "id": "CVE-2022-35252",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1282": {
+    "id": "openEuler-SA-2023-1282",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1282",
+    "title": "An update for ntp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "NTP is a protocol designed to synchronize the clocks of computers over a network, NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF.\r\n\r\nSecurity Fix(es):\r\n\r\nmstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write in the cp<cpdec while loop. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.(CVE-2023-26551)\r\n\r\nmstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a '\\0' character. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.(CVE-2023-26554)\r\n\r\nmstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when copying the trailing number. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.(CVE-2023-26553)\r\n\r\nmstolfp in libntp/mstolfp.c in NTP 4.2.8p15 has an out-of-bounds write when adding a decimal point. An adversary may be able to attack a client ntpq process, but cannot attack ntpd.(CVE-2023-26552)",
+    "cves": [
+      {
+        "id": "CVE-2023-26552",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26552",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1392": {
+    "id": "openEuler-SA-2023-1392",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1392",
+    "title": "An update for libX11 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Core X11 protocol client library.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.(CVE-2023-3138)",
+    "cves": [
+      {
+        "id": "CVE-2023-3138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1117": {
+    "id": "openEuler-SA-2024-1117",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1117",
+    "title": "An update for shim is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.(CVE-2023-40547)\r\n\r\nA buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.(CVE-2023-40548)\r\n\r\nAn out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.(CVE-2023-40549)\r\n\r\nAn out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.(CVE-2023-40550)\r\n\r\nA flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)",
+    "cves": [
+      {
+        "id": "CVE-2023-40551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1367": {
+    "id": "openEuler-SA-2024-1367",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1367",
+    "title": "An update for rubygem-activestorage is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Attach cloud and local files in Rails applications.\r\n\r\nSecurity Fix(es):\r\n\r\nRails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.(CVE-2024-26144)",
+    "cves": [
+      {
+        "id": "CVE-2024-26144",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26144",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1359": {
+    "id": "openEuler-SA-2023-1359",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1359",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\n\nSecurity Fix(es):\n\nc-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n(CVE-2023-31130)",
+    "cves": [
+      {
+        "id": "CVE-2023-31130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2114": {
+    "id": "openEuler-SA-2022-2114",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2114",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in NodeJS. The issue occurs in the Node.js rebinding protector for --inspect that still allows invalid IP addresses, specifically, the octal format. This flaw allows an attacker to perform DNS rebinding and execute arbitrary code.(CVE-2022-43548)",
+    "cves": [
+      {
+        "id": "CVE-2022-43548",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43548",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1974": {
+    "id": "openEuler-SA-2022-1974",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1974",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nExposure of Sensitive Information in Cache Manager \nhttps://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq(CVE-2022-41317)\r\n\r\nBuffer Over Read in SSPI and SMB Authentication \nhttps://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78(CVE-2022-41318)",
+    "cves": [
+      {
+        "id": "CVE-2022-41318",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41318",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1031": {
+    "id": "openEuler-SA-2021-1031",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1031",
+    "title": "An update for freeradius is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nIn FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the \"Dragonblood\" attack and CVE-2019-9494.(CVE-2019-13456)\\r\\n\\r\\n\nIn FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack.(CVE-2019-17185)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-17185",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17185",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1090": {
+    "id": "openEuler-SA-2021-1090",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1090",
+    "title": "An update for screen is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Screen is a full-screen window manager that multiplexes a physical terminal between several processes, typically interactive shells. \r\n\r\nSecurity Fix(es):\r\n\r\nencoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.(CVE-2021-26937)",
+    "cves": [
+      {
+        "id": "CVE-2021-26937",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26937",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1643": {
+    "id": "openEuler-SA-2024-1643",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1643",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1198": {
+    "id": "openEuler-SA-2024-1198",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1198",
+    "title": "An update for containers-common is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.(CVE-2022-32148)",
+    "cves": [
+      {
+        "id": "CVE-2022-32148",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1573": {
+    "id": "openEuler-SA-2023-1573",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1573",
+    "title": "An update for json-c is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted strings back into the C representation of JSON objects.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution.(CVE-2021-32292)",
+    "cves": [
+      {
+        "id": "CVE-2021-32292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32292",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1497": {
+    "id": "openEuler-SA-2022-1497",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1497",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Object-oriented scripting language interpreter.\r\n\r\nSecurity Fix(es):\r\n\r\nCGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.(CVE-2021-41819)",
+    "cves": [
+      {
+        "id": "CVE-2021-41819",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41819",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1424": {
+    "id": "openEuler-SA-2024-1424",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1424",
+    "title": "An update for flatpak is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)",
+    "cves": [
+      {
+        "id": "CVE-2023-28101",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28101",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1292": {
+    "id": "openEuler-SA-2024-1292",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1292",
+    "title": "An update for aops-zeus is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "A host and user manager service which is the foundation of aops.\r\n\r\nSecurity Fix(es):\r\n\r\nIn aops-zeus software versions 1.2.0~1.4.1, there is a vulnerability in the plugin management command of the zeus/conf/constant file. Through this vulnerability, an attacker can implant arbitrary commands to be executed on the remote host, which may cause the remote host system to crash, suffering serious consequences of security threats and losses.(CVE-2024-24899)",
+    "cves": [
+      {
+        "id": "CVE-2024-24899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1988": {
+    "id": "openEuler-SA-2023-1988",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1988",
+    "title": "An update for hdf5 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433)\r\n\r\nReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809)",
+    "cves": [
+      {
+        "id": "CVE-2020-10809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1899": {
+    "id": "openEuler-SA-2023-1899",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1899",
+    "title": "An update for arm-trusted-firmware is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nTrusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.(CVE-2022-47630)",
+    "cves": [
+      {
+        "id": "CVE-2022-47630",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47630",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1260": {
+    "id": "openEuler-SA-2023-1260",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1260",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer. Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\n\r\n\r\nSecurity Fix(es):\r\n\r\nLISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file(CVE-2023-1993)\r\n\r\nRPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file(CVE-2023-1992)\r\n\r\nGQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file(CVE-2023-1994)",
+    "cves": [
+      {
+        "id": "CVE-2023-1994",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1994",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1317": {
+    "id": "openEuler-SA-2023-1317",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1317",
+    "title": "An update for libwebp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libwebp (affected version unknown). It has been declared as critical. Affected by this vulnerability is an unknown code of the component Image File Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.(CVE-2023-1999)",
+    "cves": [
+      {
+        "id": "CVE-2023-1999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1608": {
+    "id": "openEuler-SA-2024-1608",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1608",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.(CVE-2024-27282)",
+    "cves": [
+      {
+        "id": "CVE-2024-27282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1879": {
+    "id": "openEuler-SA-2023-1879",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1879",
+    "title": "An update for qt is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.(CVE-2023-38197)\r\n\r\nAn issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.(CVE-2023-43114)",
+    "cves": [
+      {
+        "id": "CVE-2023-43114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1173": {
+    "id": "openEuler-SA-2023-1173",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1173",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel(CVE-2023-20938)\r\n\r\nThere is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c(CVE-2023-0461)\r\n\r\nA flaw in the Linux Kernel found. Fail if no bound addresses can be used for a given scope. A type confusion can happen in inet_diag_msg_sctpasoc_fill() in net/sctp/diag.c, which uses a type confused pointer to return information to userspace when issuing a list_entry() on asoc->base.bind_addr.address_list.next when the list is empty.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=458e279f861d3f61796894cd158b780765a1569f\nhttps://www.openwall.com/lists/oss-security/2023/01/23/1(CVE-2023-1074)\r\n\r\nA flaw found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.\nIt is known how to trigger this, which causes an OOB access, and a lock corruption.\r\n\r\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d(CVE-2023-1078)\r\n\r\nA flaw found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function.\nWhile it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability.\nThis would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a(CVE-2023-1076)\r\n\r\nA flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1118)\n\nIn the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.(CVE-2023-26545)",
+    "cves": [
+      {
+        "id": "CVE-2023-26545",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1561": {
+    "id": "openEuler-SA-2023-1561",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1561",
+    "title": "An update for poppler is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "poppler is a PDF rendering library.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.(CVE-2020-23804)\r\n\r\nIn Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.(CVE-2022-37050)\r\n\r\nAn issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.(CVE-2022-37051)\r\n\r\nA reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.(CVE-2022-37052)\r\n\r\nAn issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.(CVE-2022-38349)",
+    "cves": [
+      {
+        "id": "CVE-2022-38349",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38349",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1034": {
+    "id": "openEuler-SA-2021-1034",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1034",
+    "title": "An update for djvulibre is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "DjVu is a set of compression technologies, a file format, and a software platform for the deliveryover the Web of digital documents, scanned documents, and high resolution images.DjVu documents download and display extremely quickly, and look exactly the same on all platforms with no compatibility problems due to fonts, colors, etc. DjVu can be seen as a superior alternative to PDF and PostScript for digital documents, to TIFF (and PDF) for scanned bitonal documents, to JPEG and JPEG2000 for photographs and pictures, and to GIF for large palettized images. DjVu is the only Web format that is practical for distributing high-resolution scanned documents in color.\n\r\nSecurity Fix(es):\n\r\nDjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp.(CVE-2019-18804)\n\r\nDjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.(CVE-2019-15145)\n\nIn DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.(CVE-2019-15142)\n\nIn DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp.(CVE-2019-15143)\n\nIn DjVuLibre 3.5.27, the sorting functionality allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h.(CVE-2019-15144)",
+    "cves": [
+      {
+        "id": "CVE-2019-15144",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15144",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1626": {
+    "id": "openEuler-SA-2022-1626",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1626",
+    "title": "An update for cifs-utils is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The in-kernel CIFS filesystem is generally the preferred method for mounting SMB/CIFS shares on Linux. The in-kernel CIFS filesystem relies on a set of user-space tools. That package of tools is called cifs-utils.Although not really part of Samba proper, these tools were originally part of the Samba package. For several reasons, shipping these tools as part of Samba was problematic and it was deemed better to split them off into their own package.\r\n\r\nSecurity Fix(es):\r\n\r\ncifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.(CVE-2022-29869)\n\nIn cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.(CVE-2022-27239)",
+    "cves": [
+      {
+        "id": "CVE-2022-27239",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27239",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1192": {
+    "id": "openEuler-SA-2024-1192",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1192",
+    "title": "An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24814)",
+    "cves": [
+      {
+        "id": "CVE-2024-24814",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24814",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1840": {
+    "id": "openEuler-SA-2024-1840",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1840",
+    "title": "An update for openvpn is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations,  including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing,  failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security,  OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-adapted for the SME and enterprise markets.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session(CVE-2024-28882)",
+    "cves": [
+      {
+        "id": "CVE-2024-28882",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28882",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1860": {
+    "id": "openEuler-SA-2024-1860",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1860",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\r\n\r\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\r\n\r\n       CPU 1                                  CPU 2\r\n\r\nrdma_resolve_addr():\n  RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)  #1\r\n\r\n\t\t\t process_one_req(): for #1\n                          addr_handler():\n                            RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND\n                            mutex_unlock(&id_priv->handler_mutex);\n                            [.. handler still running ..]\r\n\r\nrdma_resolve_addr():\n  RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)\n    !! two requests are now on the req_list\r\n\r\nrdma_destroy_id():\n destroy_id_handler_unlock():\n  _destroy_id():\n   cma_cancel_operation():\n    rdma_addr_cancel()\r\n\r\n                          // process_one_req() self removes it\n\t\t          spin_lock_bh(&lock);\n                           cancel_delayed_work(&req->work);\n\t                   if (!list_empty(&req->list)) == true\r\n\r\n      ! rdma_addr_cancel() returns after process_on_req #1 is done\r\n\r\n   kfree(id_priv)\r\n\r\n\t\t\t process_one_req(): for #2\n                          addr_handler():\n\t                    mutex_lock(&id_priv->handler_mutex);\n                            !! Use after free on id_priv\r\n\r\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\r\n\r\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\r\n\r\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn't cost anything in the normal flow\nthat never uses this strange error path.(CVE-2021-47391)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\r\n\r\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket->wq, such\nas eppoll_entries inserted by userspace applications.\r\n\r\nAfter the fallback, data flows over TCP/IP and only clcsocket->wq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket->wq before fallback. So we need\na mechanism to wake up smc socket->wq at the same time if some\nentries remaining in it.\r\n\r\nThe current workaround is to transfer the entries from smc socket->wq\nto clcsock->wq during the fallback. But this may cause a crash\nlike this:\r\n\r\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E     5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n  <IRQ>\n  __wake_up_common_lock+0x7a/0xc0\n  sock_def_readable+0x3c/0x70\n  tcp_data_queue+0x4a7/0xc40\n  tcp_rcv_established+0x32f/0x660\n  ? sk_filter_trim_cap+0xcb/0x2e0\n  tcp_v4_do_rcv+0x10b/0x260\n  tcp_v4_rcv+0xd2a/0xde0\n  ip_protocol_deliver_rcu+0x3b/0x1d0\n  ip_local_deliver_finish+0x54/0x60\n  ip_local_deliver+0x6a/0x110\n  ? tcp_v4_early_demux+0xa2/0x140\n  ? tcp_v4_early_demux+0x10d/0x140\n  ip_sublist_rcv_finish+0x49/0x60\n  ip_sublist_rcv+0x19d/0x230\n  ip_list_rcv+0x13e/0x170\n  __netif_receive_skb_list_core+0x1c2/0x240\n  netif_receive_skb_list_internal+0x1e6/0x320\n  napi_complete_done+0x11d/0x190\n  mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n  __napi_poll+0x3c/0x1b0\n  net_rx_action+0x27c/0x300\n  __do_softirq+0x114/0x2d2\n  irq_exit_rcu+0xb4/0xe0\n  common_interrupt+0xba/0xe0\n  </IRQ>\n  <TASK>\r\n\r\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket->wq to clcsock->wq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket->wq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock->wq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\r\n\r\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket->wq if clcsock->wq is actually woken\nup and smc socket->wq has remaining entries.(CVE-2022-48721)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\r\n\r\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\r\n\r\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\r\n\r\nExample trace:\r\n\r\n[  +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[  +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[  +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[  +0.000161]  [last unloaded: bonding]\n[  +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S                 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[  +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[  +0.000003] Workqueue: ice ice_service_task [ice]\n[  +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[  +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[  +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[  +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[  +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[  +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[  +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[  +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[  +0.000004] FS:  0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[  +0.000003] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[  +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  +0.000002] PKRU: 55555554\n[  +0.000003] Call Trace:\n[  +0.000002]  <TASK>\n[  +0.000003]  __flush_workqueue+0x203/0x840\n[  +0.000006]  ? mutex_unlock+0x84/0xd0\n[  +0.000008]  ? __pfx_mutex_unlock+0x10/0x10\n[  +0.000004]  ? __pfx___flush_workqueue+0x10/0x10\n[  +0.000006]  ? mutex_lock+0xa3/0xf0\n[  +0.000005]  ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[  +0.000174]  __ib_unregister_device+0x84/0xf0 [ib_core]\n[  +0.000094]  ib_unregister_device+0x25/0x30 [ib_core]\n[  +0.000093]  irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[  +0.000064]  ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[  +0.000059]  ? up_write+0x5c/0x90\n[  +0.000005]  irdma_remove+0x36/0x90 [irdma]\n[  +0.000062]  auxiliary_bus_remove+0x32/0x50\n[  +0.000007]  device_r\n---truncated---(CVE-2023-52743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\r\n\r\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.(CVE-2023-52755)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: btusb: Add date->evt_skb is NULL check\r\n\r\nfix crash because of null pointers\r\n\r\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS:  00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708]  btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732]  hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748]  hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753]  rfkill_set_block+0x92/0x160\n[ 6104.969755]  rfkill_fop_write+0x136/0x1e0\n[ 6104.969759]  __vfs_write+0x18/0x40\n[ 6104.969761]  vfs_write+0xdf/0x1c0\n[ 6104.969763]  ksys_write+0xb1/0xe0\n[ 6104.969765]  __x64_sys_write+0x1a/0x20\n[ 6104.969769]  do_syscall_64+0x51/0x180\n[ 6104.969771]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0(CVE-2023-52833)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\r\n\r\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.(CVE-2024-34027)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\r\n\r\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\r\n\r\nTest script:\r\n\r\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\r\n\r\nTest result:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n <TASK>\n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\r\n\r\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\r\n\r\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t  if (!dev->nullb)\n\t\t\t\t  // still set while gendisk is deleted\n\t\t\t\t   return 0\n\t\t\t\t  blk_mq_update_nr_hw_queues\n dev->nullb = NULL\r\n\r\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.(CVE-2024-36478)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\r\n\r\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\r\n\r\nFix it in the one caller that had this combination.\r\n\r\nThe undefined behavior was detected by UBSAN:\n  UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n  shift exponent 64 is too large for 64-bit type 'long unsigned int'\n  CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n  Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x5d/0x80\n   ubsan_epilogue+0x5/0x30\n   __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n   __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n   bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n   bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n   bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __kmalloc+0x1b6/0x4f0\n   ? create_qp.part.0+0x128/0x1c0 [ib_core]\n   ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n   create_qp.part.0+0x128/0x1c0 [ib_core]\n   ib_create_qp_kernel+0x50/0xd0 [ib_core]\n   create_mad_qp+0x8e/0xe0 [ib_core]\n   ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n   ib_mad_init_device+0x2be/0x680 [ib_core]\n   add_client_context+0x10d/0x1a0 [ib_core]\n   enable_device_and_get+0xe0/0x1d0 [ib_core]\n   ib_register_device+0x53c/0x630 [ib_core]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n   ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n   auxiliary_bus_probe+0x49/0x80\n   ? driver_sysfs_add+0x57/0xc0\n   really_probe+0xde/0x340\n   ? pm_runtime_barrier+0x54/0x90\n   ? __pfx___driver_attach+0x10/0x10\n   __driver_probe_device+0x78/0x110\n   driver_probe_device+0x1f/0xa0\n   __driver_attach+0xba/0x1c0\n   bus_for_each_dev+0x8f/0xe0\n   bus_add_driver+0x146/0x220\n   driver_register+0x72/0xd0\n   __auxiliary_driver_register+0x6e/0xd0\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   do_one_initcall+0x5b/0x310\n   do_init_module+0x90/0x250\n   init_module_from_file+0x86/0xc0\n   idempotent_init_module+0x121/0x2b0\n   __x64_sys_finit_module+0x5e/0xb0\n   do_syscall_64+0x82/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode_prepare+0x149/0x170\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode+0x75/0x230\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_syscall_64+0x8e/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __count_memcg_events+0x69/0x100\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? count_memcg_events.constprop.0+0x1a/0x30\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? handle_mm_fault+0x1f0/0x300\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_user_addr_fault+0x34e/0x640\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f4e5132821d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n  RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n  RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n  RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n  RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n  R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n  R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n   </TASK>\n  ---[ end trace ]---(CVE-2024-38540)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\r\n\r\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\r\n\r\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\r\n\r\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\r\n\r\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\r\n\r\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\r\n\r\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\r\n\r\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\r\n\r\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\r\n\r\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix potential glock use-after-free on unmount\r\n\r\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically.  Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace.  This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\r\n\r\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\r\n\r\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.(CVE-2024-38570)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\r\n\r\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\r\n\r\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\r\n\r\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.(CVE-2024-38586)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix resync softlockup when bitmap size is less than array size\r\n\r\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\r\n\r\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n <TASK>\n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\r\n\r\nAnd the detailed process is as follows:\r\n\r\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n  sectors = raid10_sync_request(mddev, j, &skipped)\n   if (!md_bitmap_start_sync(..., &sync_blocks))\n    // md_bitmap_start_sync set sync_blocks to 0\n    return sync_blocks + sectors_skippe;\n  // sectors = 0;\n  j += sectors;\n  // j never change\r\n\r\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\r\n\r\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\r\n\r\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.(CVE-2024-38598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: core: Fix NULL module pointer assignment at card init\r\n\r\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'.  This works in most cases, but the devils are always in\ndetails.  \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not.  Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL.  This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\r\n\r\nFor addressing the bug, move the assignment of card->module again out\nof ifdef.  The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\r\n\r\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check.  Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y.  But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.(CVE-2024-38605)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpufreq: exit() callback is optional\r\n\r\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\r\n\r\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.(CVE-2024-38615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: fix potential memory leak in vfio_intx_enable()\r\n\r\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkdb: Fix buffer overflow during tab-complete\r\n\r\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\r\n\r\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\r\n\r\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\r\n\r\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\r\n\r\nFix it by adding a check of string length before using it.(CVE-2024-39487)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\r\n\r\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\r\n\r\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tsigned int      file_disp;\t// 4 bytes\n\t\tunsigned short  line;\t\t// 2 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t}\r\n\r\n... with 12 bytes total, requiring 4-byte alignment.\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\r\n\r\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\r\n\r\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\r\n\r\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\r\n\r\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\r\n\r\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\r\n\r\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\r\n\r\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\r\n\r\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\r\n\r\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\r\n\r\nConsequently module_find_bug() will miss the last bug_entry when it does:\r\n\r\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\r\n\r\n... which can lead to a kenrel panic due to an unhandled bug.\r\n\r\nThis can be demonstrated with the following module:\r\n\r\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\r\n\r\n\tstatic void __exit bugexit(void)\n\t{\n\t}\r\n\r\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\r\n\r\n... which will trigger a kernel panic when loaded:\r\n\r\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G           O       6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix memleak in seg6_hmac_init_algo\r\n\r\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\r\n\r\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsock_map: avoid race between sock_map_close and sk_psock_put\r\n\r\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\r\n\r\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\r\n\r\nThat will trigger the WARN_ON_ONCE:\r\n\r\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS:  000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\r\n\r\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\r\n\r\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\r\n\r\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.(CVE-2024-39500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure snd_una is properly initialized on connect\r\n\r\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\r\n\r\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.(CVE-2024-40931)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: remove clear SB_INLINECRYPT flag in default_options\r\n\r\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\r\n\r\nThread A:                               Thread B:\r\n\r\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n  -default_options\n\t<- clear SB_INLINECRYPT flag\r\n\r\n                                          -fscrypt_select_encryption_impl\r\n\r\n  -parse_options\n\t<- set SB_INLINECRYPT again(CVE-2024-40971)",
+    "cves": [
+      {
+        "id": "CVE-2024-40971",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1670": {
+    "id": "openEuler-SA-2022-1670",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1670",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.(CVE-2022-1114)",
+    "cves": [
+      {
+        "id": "CVE-2022-1114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1600": {
+    "id": "openEuler-SA-2024-1600",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1600",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.(CVE-2024-0229)\r\n\r\nA flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.(CVE-2024-0409)",
+    "cves": [
+      {
+        "id": "CVE-2024-0409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1467": {
+    "id": "openEuler-SA-2024-1467",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1467",
+    "title": "An update for docker is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\r\n\r\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\r\n\r\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\r\n\r\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\r\n\r\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\r\n\r\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\r\n\r\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\r\n\r\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\r\n\r\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\r\n\r\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)",
+    "cves": [
+      {
+        "id": "CVE-2024-29018",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1501": {
+    "id": "openEuler-SA-2024-1501",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1501",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\r\n\r\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.(CVE-2023-52441)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\r\n\r\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\r\n\r\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\r\n\r\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.(CVE-2023-52486)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\r\n\r\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\r\n\r\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\r\n\r\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\r\n\r\nCPU0                  CPU1\nmtk_jpeg_dec_...    |\n  start worker\t    |\n                    |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove     |\n  v4l2_m2m_release  |\n    kfree(m2m_dev); |\n                    |\n                    | v4l2_m2m_get_curr_priv\n                    |   m2m_dev->curr_ctx //use\r\n\r\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\r\n\r\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.(CVE-2023-52491)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fix NULL pointer in channel unregistration function\r\n\r\n__dma_async_device_channel_register() can fail. In case of failure,\nchan->local is freed (with free_percpu()), and chan->local is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[    1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[    1.484499] Call trace:\n[    1.486930]  device_del+0x40/0x394\n[    1.490314]  device_unregister+0x20/0x7c\n[    1.494220]  __dma_async_device_channel_unregister+0x68/0xc0\r\n\r\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan->local is not NULL.\r\n\r\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.(CVE-2023-52492)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Drop chan lock before queuing buffers\r\n\r\nEnsure read and write locks for the channel are not taken in succession by\ndropping the read lock from parse_xfer_event() such that a callback given\nto client can potentially queue buffers and acquire the write lock in that\nprocess. Any queueing of buffers should be done without channel read lock\nacquired as it can result in multiple locks and a soft lockup.\r\n\r\n[mani: added fixes tag and cc'ed stable](CVE-2023-52493)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Add alignment check for event ring read pointer\r\n\r\nThough we do check the event ring read pointer by \"is_valid_ring_ptr\"\nto make sure it is in the buffer range, but there is another risk the\npointer may be not aligned.  Since we are expecting event ring elements\nare 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer\ncould lead to multiple issues like DoS or ring buffer memory corruption.\r\n\r\nSo add a alignment check for event ring read pointer.(CVE-2023-52494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM: sleep: Fix possible deadlocks in core system-wide PM code\r\n\r\nIt is reported that in low-memory situations the system-wide resume core\ncode deadlocks, because async_schedule_dev() executes its argument\nfunction synchronously if it cannot allocate memory (and not only in\nthat case) and that function attempts to acquire a mutex that is already\nheld.  Executing the argument function synchronously from within\ndpm_async_fn() may also be problematic for ordering reasons (it may\ncause a consumer device's resume callback to be invoked before a\nrequisite supplier device's one, for example).\r\n\r\nAddress this by changing the code in question to use\nasync_schedule_dev_nocall() for scheduling the asynchronous\nexecution of device suspend and resume functions and to directly\nrun them synchronously if async_schedule_dev_nocall() returns false.(CVE-2023-52498)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\r\n\r\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\r\n\r\n    kref_put(&sess->refcount, destroy_session);\r\n\r\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\r\n\r\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.(CVE-2023-52503)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/alternatives: Disable KASAN in apply_alternatives()\r\n\r\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\r\n\r\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\r\n\r\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\r\n\r\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\r\n\r\nFix it for real by disabling KASAN while the kernel is patching alternatives.\r\n\r\n[ mingo: updated the changelog ](CVE-2023-52504)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: llcp: Add lock when modifying device list\r\n\r\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.(CVE-2023-52524)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: 8250_port: Check IRQ data before use\r\n\r\nIn case the leaf driver wants to use IRQ polling (irq = 0) and\nIIR register shows that an interrupt happened in the 8250 hardware\nthe IRQ data can be NULL. In such a case we need to skip the wake\nevent as we came to this path from the timer interrupt and quite\nlikely system is already awake.\r\n\r\nWithout this fix we have got an Oops:\r\n\r\n    serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A\n    ...\n    BUG: kernel NULL pointer dereference, address: 0000000000000010\n    RIP: 0010:serial8250_handle_irq+0x7c/0x240\n    Call Trace:\n     ? serial8250_handle_irq+0x7c/0x240\n     ? __pfx_serial8250_timeout+0x10/0x10(CVE-2023-52567)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nteam: fix null-ptr-deref when team device type is changed\r\n\r\nGet a null-ptr-deref bug as follows with reproducer [1].\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n <TASK>\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\r\n\r\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\r\n\r\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\r\n\r\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.(CVE-2023-52574)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52575)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2023-52607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\r\n\r\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\r\n\r\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\r\n\r\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\r\n\r\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\r\n\r\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\r\n\r\nAdd a consistency check to validate such condition in the A2P ISR.(CVE-2023-52608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\r\n\r\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\r\n\r\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\r\n\r\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\r\n\r\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com(CVE-2023-52617)\r\n\r\nA null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.(CVE-2023-7042)\r\n\r\nA race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix global oob in ksmbd_nl_policy\r\n\r\nSimilar to a reported issue (check the commit b33fb5b801c6 (\"net:\nqualcomm: rmnet: fix global oob in rmnet_policy\"), my local fuzzer finds\nanother global out-of-bounds read for policy ksmbd_nl_policy. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810\r\n\r\nCPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n __nlmsg_parse include/net/netlink.h:748 [inline]\n genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565\n genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdd66a8f359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003\nRBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n ksmbd_nl_policy+0x100/0xa80\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9\n                   ^\n ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05\n ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9\n==================================================================\r\n\r\nTo fix it, add a placeholder named __KSMBD_EVENT_MAX and let\nKSMBD_EVENT_MAX to be its original value - 1 according to what other\nnetlink families do. Also change two sites that refer the\nKSMBD_EVENT_MAX to correct value.(CVE-2024-26608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\r\n\r\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\r\n\r\n- run nginx/wrk test:\n  smc_run nginx\n  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>\r\n\r\n- continuously dump SMC-D connections in parallel:\n  watch -n 1 'smcss -D'\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE      6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n  <TASK>\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x66/0x150\n  ? exc_page_fault+0x69/0x140\n  ? asm_exc_page_fault+0x26/0x30\n  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n  ? __kmalloc_node_track_caller+0x35d/0x430\n  ? __alloc_skb+0x77/0x170\n  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n  smc_diag_dump+0x26/0x60 [smc_diag]\n  netlink_dump+0x19f/0x320\n  __netlink_dump_start+0x1dc/0x300\n  smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n  sock_diag_rcv_msg+0x121/0x140\n  ? __pfx_sock_diag_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x5a/0x110\n  sock_diag_rcv+0x28/0x40\n  netlink_unicast+0x22a/0x330\n  netlink_sendmsg+0x1f8/0x420\n  __sock_sendmsg+0xb0/0xc0\n  ____sys_sendmsg+0x24e/0x300\n  ? copy_msghdr_from_user+0x62/0x80\n  ___sys_sendmsg+0x7c/0xd0\n  ? __do_fault+0x34/0x160\n  ? do_read_fault+0x5f/0x100\n  ? do_fault+0xb0/0x110\n  ? __handle_mm_fault+0x2b0/0x6c0\n  __sys_sendmsg+0x4d/0x80\n  do_syscall_64+0x69/0x180\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.(CVE-2024-26615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\r\n\r\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\r\n\r\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\r\n\r\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard->channel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard->channel-> //USE\r\n\r\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.(CVE-2024-26654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: fix use-after-free bug\r\n\r\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.\nFor example the following code:\r\n\r\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\r\n\r\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\r\n\r\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into  amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\r\n\r\n[  +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[  +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[  +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[  +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[  +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[  +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[  +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[  +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[  +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[  +0.000011] FS:  00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[  +0.000012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[  +0.000010] Call Trace:\n[  +0.000006]  <TASK>\n[  +0.000007]  ? show_regs+0x6a/0x80\n[  +0.000018]  ? __warn+0xa5/0x1b0\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000018]  ? report_bug+0x24a/0x290\n[  +0.000022]  ? handle_bug+0x46/0x90\n[  +0.000015]  ? exc_invalid_op+0x19/0x50\n[  +0.000016]  ? asm_exc_invalid_op+0x1b/0x20\n[  +0.000017]  ? kasan_save_stack+0x26/0x50\n[  +0.000017]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000020]  ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[  +0.000017]  ? kasan_save_alloc_info+0x1e/0x30\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __kasan_kmalloc+0xb1/0xc0\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? __kasan_check_read+0x11/0x20\n[  +0.000020]  amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[  +0.004695]  amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[  +0.004534]  ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[  +0.004291]  ? do_syscall_64+0x5f/0xe0\n[  +0.000023]  ? srso_return_thunk+0x5/0x5f\n[  +0.000017]  drm_gem_object_free+0x3b/0x50 [drm]\n[  +0.000489]  amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[  +0.004295]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004270]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __this_cpu_preempt_check+0x13/0x20\n[  +0.000015]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? sysvec_apic_timer_interrupt+0x57/0xc0\n[  +0.000020]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[  +0.000022]  ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[  +0.000496]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004272]  ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[  +0.000492]  drm_ioctl_kernel+0x140/0x1f0 [drm]\n[  +0.000497]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004297]  ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---(CVE-2024-26656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\r\n\r\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\r\n\r\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio.  Thus causing a deadlock.\r\n\r\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty.  Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed.  Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\r\n\r\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\r\n\r\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.(CVE-2024-26696)",
+    "cves": [
+      {
+        "id": "CVE-2024-26696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1915": {
+    "id": "openEuler-SA-2022-1915",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1915",
+    "title": "An update for libjpeg-turbo is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, and ARM systems.\r\n\r\nSecurity Fix(es):\r\n\r\nA crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.(CVE-2020-35538)",
+    "cves": [
+      {
+        "id": "CVE-2020-35538",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35538",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1531": {
+    "id": "openEuler-SA-2023-1531",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1531",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\n\nSecurity Fix(es):\n\nExtremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.(CVE-2023-29409)",
+    "cves": [
+      {
+        "id": "CVE-2023-29409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1322": {
+    "id": "openEuler-SA-2023-1322",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1322",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices,and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols.It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\r\n\r\nSecurity Fix(es):\r\n\r\nBLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2857)\r\n\r\nNetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2858)\r\n\r\nCandump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2855)\r\n\r\nA flaw was found in the IEEE C37.118 Synchrophasor dissector of Wireshark. This issue occurs when decoding malformed packets from a pcap file or from the network, causing a buffer overflow, resulting in a denial of service.(CVE-2023-0668)\r\n\r\nVMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2856)\r\n\r\nGDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file(CVE-2023-2879)",
+    "cves": [
+      {
+        "id": "CVE-2023-2879",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2879",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2078": {
+    "id": "openEuler-SA-2022-2078",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2078",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nCrash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file(CVE-2022-0583)\r\n\r\nLarge loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allow denial of service via packet injection or crafted capture file(CVE-2022-0585)\r\n\r\nCrash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file(CVE-2022-0581)\r\n\r\nInfinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file(CVE-2022-0586)\r\n\r\nUnaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file(CVE-2022-0582)\r\n\r\nCrash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file(CVE-2022-3725)",
+    "cves": [
+      {
+        "id": "CVE-2022-3725",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3725",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2071": {
+    "id": "openEuler-SA-2022-2071",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2071",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability.(CVE-2022-3542)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.(CVE-2022-3606)\n\ndrivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.(CVE-2022-40768)",
+    "cves": [
+      {
+        "id": "CVE-2022-40768",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40768",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1047": {
+    "id": "openEuler-SA-2023-1047",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1047",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nprocessCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., \"WRITE of size 307203\") via a crafted TIFF image.(CVE-2022-48281)",
+    "cves": [
+      {
+        "id": "CVE-2022-48281",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48281",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1085": {
+    "id": "openEuler-SA-2023-1085",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1085",
+    "title": "An update for python-cryptography is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.\r\n\r\nSecurity Fix(es):\r\n\r\ncryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.(CVE-2023-23931)",
+    "cves": [
+      {
+        "id": "CVE-2023-23931",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1013": {
+    "id": "openEuler-SA-2021-1013",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1013",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nThe iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.(CVE-2019-25013)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-25013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25013",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1526": {
+    "id": "openEuler-SA-2024-1526",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1526",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: caif: fix memory leak in cfusbl_device_notify\r\n\r\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error.(CVE-2021-47121)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fujitsu: fix potential null-ptr-deref\r\n\r\nIn fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer\nderef. To fix this, check the return value of ioremap and return -1\nto the caller in case of failure.(CVE-2021-47149)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\r\n\r\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \"2878\" log\nmessages.\r\n\r\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\r\n\r\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed.(CVE-2021-47183)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\r\n\r\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata->assigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.(CVE-2021-47194)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: tipd: Remove WARN_ON in tps6598x_block_read\r\n\r\nCalling tps6598x_block_read with a higher than allowed len can be\nhandled by just returning an error. There's no need to crash systems\nwith panic-on-warn enabled.(CVE-2021-47210)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/ram: Fix crash when setting number of cpus to an odd number\r\n\r\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n    addr of zone0 = BASE\n    addr of zone1 = BASE + zone_size\n    addr of zone2 = BASE + zone_size*2\n    ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\r\n\r\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.(CVE-2023-52619)\r\n\r\nA race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn't use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac->ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)",
+    "cves": [
+      {
+        "id": "CVE-2021-47210",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47210",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-27437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1256": {
+    "id": "openEuler-SA-2024-1256",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1256",
+    "title": "An update for rubygem-yard is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.\r\n\r\nSecurity Fix(es):\r\n\r\nYARD is a Ruby Documentation tool. The \"frames.html\" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the \"frames.erb\" template file.  This vulnerability is fixed in 0.9.36.(CVE-2024-27285)",
+    "cves": [
+      {
+        "id": "CVE-2024-27285",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27285",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1545": {
+    "id": "openEuler-SA-2023-1545",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1545",
+    "title": "An update for qt is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\n\nSecurity Fix(es):\n\nIn Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.(CVE-2023-32573)",
+    "cves": [
+      {
+        "id": "CVE-2023-32573",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1673": {
+    "id": "openEuler-SA-2023-1673",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1673",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nMozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 80, Firefox ESR < 78.2, Thunderbird < 78.2, and Firefox for Android < 80.(CVE-2020-15670)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.(CVE-2020-15673)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 80. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81.(CVE-2020-15674)\r\n\r\nWhen processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81.(CVE-2020-15675)\r\n\r\nIf a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.(CVE-2020-15680)\r\n\r\nWhen multiple WASM threads had a reference to a module, and were looking up exported functions, one WASM thread could have overwritten another's entry in a shared stub table, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 82.(CVE-2020-15681)\r\n\r\nWhen a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin. This vulnerability affects Firefox < 82.(CVE-2020-15682)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4, Firefox < 82, and Thunderbird < 78.4.(CVE-2020-15683)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 81. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 82.(CVE-2020-15684)\r\n\r\nSide-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.(CVE-2020-16012)\r\n\r\nUse after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet.(CVE-2020-16044)\r\n\r\nIn certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.(CVE-2020-26950)\r\n\r\n(CVE-2020-26951)\r\n\r\n(CVE-2020-26953)\r\n\r\n(CVE-2020-26956)\r\n\r\n(CVE-2020-26958)\r\n\r\n(CVE-2020-26959)\r\n\r\n(CVE-2020-26960)\r\n\r\n(CVE-2020-26961)\r\n\r\n(CVE-2020-26962)\r\n\r\n(CVE-2020-26965)\r\n\r\n(CVE-2020-26968)\r\n\r\n(CVE-2020-26969)\r\n\r\nCertain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26971)\r\n\r\nThe lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. Such a check was omitted in WebGL, resulting in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 84.(CVE-2020-26972)\r\n\r\nCertain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26973)\r\n\r\nWhen flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26974)\r\n\r\nWhen a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84.(CVE-2020-26976)\r\n\r\nUsing techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26978)\r\n\r\nWhen a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84.(CVE-2020-26979)\r\n\r\nWhen an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-35111)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-35113)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84.(CVE-2020-35114)\r\n\r\nIf a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23953)\r\n\r\nUsing the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23954)\r\n\r\nThe browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. This vulnerability affects Firefox < 85.(CVE-2021-23955)\r\n\r\nAn ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. This was addressed by adding a new prompt. This vulnerability affects Firefox < 85.(CVE-2021-23956)\r\n\r\nThe browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. This vulnerability affects Firefox < 85.(CVE-2021-23958)\r\n\r\nPerforming garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23960)\r\n\r\nFurther techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85.(CVE-2021-23961)\r\n\r\nIncorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. This vulnerability affects Firefox < 85.(CVE-2021-23962)\r\n\r\nWhen sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85.(CVE-2021-23963)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23964)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85.(CVE-2021-23965)\r\n\r\nIf Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23968)\r\n\r\nAs specified in the W3C Content Security Policy draft, when creating a violation report, \"User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage.\" Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23969)\r\n\r\nContext-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. This vulnerability affects Firefox < 86.(CVE-2021-23970)\r\n\r\nWhen processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86.(CVE-2021-23971)\r\n\r\nOne phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://www.phishingtarget.com@evil.com'. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. This vulnerability affects Firefox < 86.(CVE-2021-23972)\r\n\r\nWhen trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23973)\r\n\r\nThe DOMParser API did not properly process '<noscript>' elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. This vulnerability affects Firefox < 86.(CVE-2021-23974)\r\n\r\nThe developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects Firefox < 86.(CVE-2021-23975)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23978)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86.(CVE-2021-23979)\r\n\r\nA texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23981)\r\n\r\nUsing techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23982)\r\n\r\nBy causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 87.(CVE-2021-23983)\r\n\r\nA malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23984)\r\n\r\nIf an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox < 87.(CVE-2021-23985)\r\n\r\nA malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87.(CVE-2021-23986)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23987)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 87.(CVE-2021-23988)\r\n\r\nA WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23994)\r\n\r\nWhen Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23995)\r\n\r\nBy utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user. This vulnerability affects Firefox < 88.(CVE-2021-23996)\r\n\r\nDue to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 88.(CVE-2021-23997)\r\n\r\nThrough complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23998)\r\n\r\nIf a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23999)\r\n\r\nA race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as &lt;input type=\"file\"&gt;) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88.(CVE-2021-24000)\r\n\r\nA compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure that was not restricted to testing-only configurations. This vulnerability affects Firefox < 88.(CVE-2021-24001)\r\n\r\nWhen a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-24002)\r\n\r\nLack of escaping allowed HTML injection when a webpage was viewed in Reader View. While a Content Security Policy prevents direct code execution, HTML injection is still possible. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 88.(CVE-2021-29944)\r\n\r\nThe WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29945)\r\n\r\nPorts that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29946)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 87. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 88.(CVE-2021-29947)\r\n\r\nWhen Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.(CVE-2021-29952)\r\n\r\nA malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.*. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.(CVE-2021-29953)\r\n\r\nA transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87.(CVE-2021-29955)\r\n\r\nWhen a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89.(CVE-2021-29959)\r\n\r\nFirefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk. This vulnerability affects Firefox < 89.(CVE-2021-29960)\r\n\r\nWhen styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.(CVE-2021-29961)\r\n\r\nA malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.(CVE-2021-29965)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 88. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 89.(CVE-2021-29966)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and Firefox ESR < 78.11.(CVE-2021-29967)\r\n\r\nA malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.(CVE-2021-29970)\r\n\r\nA use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well. This vulnerability affects Firefox < 90.(CVE-2021-29972)\r\n\r\nWhen network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically. This vulnerability affects Firefox < 90.(CVE-2021-29974)\r\n\r\nThrough a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. This vulnerability affects Firefox < 90.(CVE-2021-29975)\r\n\r\nMozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.(CVE-2021-29976)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 90.(CVE-2021-29977)\r\n\r\nUninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29980)\r\n\r\nAn issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. This vulnerability affects Firefox < 91 and Thunderbird < 91.(CVE-2021-29981)\r\n\r\nDue to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. This vulnerability affects Firefox < 91 and Thunderbird < 91.(CVE-2021-29982)\r\n\r\nInstruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29984)\r\n\r\nA use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29985)\r\n\r\nA suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29986)\r\n\r\nAfter requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.(CVE-2021-29987)\r\n\r\nFirefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29988)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29989)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 90. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 91.(CVE-2021-29990)\r\n\r\nFirefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.(CVE-2021-29991)\r\n\r\nOut of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.(CVE-2021-30547)\r\n\r\ncrossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.(CVE-2021-32810)\r\n\r\nMixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. This vulnerability affects Firefox < 92.(CVE-2021-38491)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14, and Firefox < 92.(CVE-2021-38493)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 92.(CVE-2021-38494)\r\n\r\nDuring operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.(CVE-2021-38496)\r\n\r\nThrough use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.(CVE-2021-38497)\r\n\r\nDuring process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.(CVE-2021-38498)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 92. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93.(CVE-2021-38499)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.(CVE-2021-38500)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.(CVE-2021-38501)\r\n\r\nThe iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38503)\r\n\r\nWhen interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38504)\r\n\r\nThrough a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38506)\r\n\r\nThe Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38507)\r\n\r\nBy displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38508)\r\n\r\nDue to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38509)\r\n\r\nThe executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38510)\r\n\r\nIt was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2021-4140)\r\n\r\nWhen a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.(CVE-2021-43531)\r\n\r\nThe 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.(CVE-2021-43532)\r\n\r\nWhen parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing. This vulnerability affects Firefox < 94.(CVE-2021-43533)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-43534)\r\n\r\nA use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-43535)\r\n\r\nUnder certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43536)\r\n\r\nAn incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43537)\r\n\r\nBy misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43538)\r\n\r\nFailure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43539)\r\n\r\nWebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox < 95.(CVE-2021-43540)\r\n\r\nWhen invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43541)\r\n\r\nUsing XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43542)\r\n\r\nDocuments loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43543)\r\n\r\nUsing the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43545)\r\n\r\nIt was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43546)\r\n\r\nMozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97.(CVE-2022-0511)\r\n\r\nMozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 98.(CVE-2022-0843)\r\n\r\n<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-1097)\r\n\r\nAfter a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.(CVE-2022-1196)\r\n\r\nAn attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.(CVE-2022-1529)\r\n\r\nIf an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.(CVE-2022-1802)\r\n\r\nUse after free in Codecs in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2022-1919)\r\n\r\nIf an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-2200)\r\n\r\nConstructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22737)\r\n\r\nApplying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22738)\r\n\r\nMalicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22739)\r\n\r\nCertain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22740)\r\n\r\nWhen resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22741)\r\n\r\nWhen inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22742)\r\n\r\nWhen navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22743)\r\n\r\nSecuritypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22745)\r\n\r\nAfter accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22747)\r\n\r\nMalicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22748)\r\n\r\nIf a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22754)\r\n\r\nBy using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.(CVE-2022-22755)\r\n\r\nIf a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22756)\r\n\r\nRemote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.(CVE-2022-22757)\r\n\r\nIf a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22759)\r\n\r\nWhen importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22760)\r\n\r\nWeb-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22761)\r\n\r\nWhen a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22763)\r\n\r\nregex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.(CVE-2022-24713)\r\n\r\nAn attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26381)\r\n\r\nWhile the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.(CVE-2022-26382)\r\n\r\nWhen resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26383)\r\n\r\nIf an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26384)\r\n\r\nIn unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 98.(CVE-2022-26385)\r\n\r\nPreviously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. <br>*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7.(CVE-2022-26386)\r\n\r\nWhen installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26387)\r\n\r\nRemoving an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.(CVE-2022-26485)\r\n\r\nAn unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.(CVE-2022-26486)\r\n\r\nIf a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28281)\r\n\r\nBy using a link with <code>rel=\"localization\"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28282)\r\n\r\nThe sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible. This vulnerability affects Firefox < 99.(CVE-2022-28283)\r\n\r\nSVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.(CVE-2022-28284)\r\n\r\nWhen generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28285)\r\n\r\nDue to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28286)\r\n\r\nIn unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.(CVE-2022-28287)\r\n\r\nMozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28289)\r\n\r\nDocuments in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29909)\r\n\r\nAn improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29911)\r\n\r\nRequests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29912)\r\n\r\nWhen reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29914)\r\n\r\nThe Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.(CVE-2022-29915)\r\n\r\nFirefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29916)\r\n\r\nMozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 100.(CVE-2022-29918)\r\n\r\nA malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31736)\r\n\r\nA malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31737)\r\n\r\nWhen exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31738)\r\n\r\nOn arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31740)\r\n\r\nA crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31741)\r\n\r\nAn attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31742)\r\n\r\nFirefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape HTML comments on pages that put user-controlled data in them. This vulnerability affects Firefox < 101.(CVE-2022-31743)\r\n\r\nAn attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.(CVE-2022-31744)\r\n\r\nIf array shift operations are not used, the Garbage Collector may have become confused about valid objects. This vulnerability affects Firefox < 101.(CVE-2022-31745)\r\n\r\nMozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 101.(CVE-2022-31748)\r\n\r\nAn out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-3266)\r\n\r\nAn iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34468)\r\n\r\nWhen a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102.(CVE-2022-34469)\r\n\r\nSession history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34470)\r\n\r\nWhen downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102.(CVE-2022-34471)\r\n\r\nIf there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34472)\r\n\r\nThe HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG <code>&lt;use&gt;</code> tags; however it incorrectly did not sanitize <code>xlink:href</code> attributes. This vulnerability affects Firefox < 102.(CVE-2022-34473)\r\n\r\nEven when an iframe was sandboxed with <code>allow-top-navigation-by-user-activation</code>, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate. This vulnerability affects Firefox < 102.(CVE-2022-34474)\r\n\r\nSVG <code>&lt;use&gt;</code> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed. This vulnerability affects Firefox < 102.(CVE-2022-34475)\r\n\r\nASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1. This vulnerability affects Firefox < 102.(CVE-2022-34476)\r\n\r\nThe MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 102.(CVE-2022-34477)\r\n\r\nA malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34479)\r\n\r\nWithin the <code>lg_init()</code> function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated. This vulnerability affects Firefox < 102.(CVE-2022-34480)\r\n\r\nIn the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34481)\r\n\r\nAn attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.(CVE-2022-34482)\r\n\r\nAn attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102.(CVE-2022-34483)\r\n\r\nThe Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34484)\r\n\r\nMozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102.(CVE-2022-34485)\r\n\r\nWhen visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.(CVE-2022-36318)\r\n\r\nWhen combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.(CVE-2022-36319)\r\n\r\nAn attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.(CVE-2022-38472)\r\n\r\nA cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.(CVE-2022-38473)\r\n\r\nMozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104.(CVE-2022-38477)\r\n\r\nMembers the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.(CVE-2022-38478)\r\n\r\nWhen injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40956)\r\n\r\nInconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40957)\r\n\r\nBy injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40958)\r\n\r\nDuring iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40959)\r\n\r\nConcurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40960)\r\n\r\nMozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40962)\r\n\r\nCertain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.(CVE-2022-42928)\r\n\r\nThrough a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45408)\r\n\r\nThe garbage collector could have been aborted in several states and zones and <code>GCRuntime::finishCollection</code> may not have been called, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45409)\r\n\r\nWhen a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45410)\r\n\r\nCross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45411)\r\n\r\nWhen resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45412)\r\n\r\nKeyboard events reference strings like \"KeyA\" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45416)\r\n\r\nIf a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45418)\r\n\r\nUse tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45420)\r\n\r\nMozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45421)\r\n\r\nAn out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.(CVE-2022-46871)\r\n\r\nA file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6.(CVE-2022-46874)\r\n\r\nThe executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer. <br>*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.(CVE-2022-46875)\r\n\r\nMozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.(CVE-2022-46878)\r\n\r\nA use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6.(CVE-2022-46882)\r\n\r\nAn attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-0767)\r\n\r\nUnexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.(CVE-2023-1945)\r\n\r\nDue to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to <code>DataTransfer.setData</code>. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23598)\r\n\r\nWhen copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23599)\r\n\r\nNavigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23601)\r\n\r\nA mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23602)\r\n\r\nRegular expressions used to filter out forbidden properties and values from style directives in calls to <code>console.log</code> weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23603)\r\n\r\nThe <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25728)\r\n\r\nPermission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25729)\r\n\r\nA background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25730)\r\n\r\nWhen encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25732)\r\n\r\nCross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25735)\r\n\r\nAn invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25737)\r\n\r\nModule load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25739)\r\n\r\nWhen importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25742)\r\n\r\nSometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-25751)\r\n\r\nWhen accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may have lead future code to be incorrect and vulnerable. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-25752)\r\n\r\nWhile implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-28162)\r\n\r\nDragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-28164)\r\n\r\nMozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-28176)\r\n\r\nA website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29533)\r\n\r\nFollowing a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29535)\r\n\r\nAn attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29536)\r\n\r\nWhen handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29539)\r\n\r\nFirefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29541)\r\n\r\nA wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29548)\r\n\r\nMozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29550)\r\n\r\nIn multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32205)\r\n\r\nAn out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32206)\r\n\r\nA missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32207)\r\n\r\nA type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32211)\r\n\r\nAn attacker could have positioned a <code>datalist</code> element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32212)\r\n\r\nWhen reading a file, an uninitialized value could have been used as read limit. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32213)\r\n\r\nMozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32215)\r\n\r\nAn attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37201)\r\n\r\nCross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37202)\r\n\r\nA website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37207)\r\n\r\nWhen opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37208)\r\n\r\nMemory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37211)\r\n\r\nOffscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4045)\r\n\r\nIn some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4046)\r\n\r\nA bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4047)\r\n\r\nAn out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4048)\r\n\r\nRace conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4049)\r\n\r\nIn some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4050)\r\n\r\nWhen opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. \n*This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1.(CVE-2023-4054)\r\n\r\nWhen the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4055)\r\n\r\nMemory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4056)",
+    "cves": [
+      {
+        "id": "CVE-2020-15673",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15673",
+        "severity": "High"
+      },
+      {
+        "id": "CVE-2023-4056",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4056",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1786": {
+    "id": "openEuler-SA-2024-1786",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1786",
+    "title": "An update for firefox is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nThere was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.(CVE-2024-3302)\r\n\r\nGetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.(CVE-2024-3852)\r\n\r\nIn some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.(CVE-2024-3854)\r\n\r\nOn 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.(CVE-2024-3859)\r\n\r\nIf an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.(CVE-2024-3861)\r\n\r\nIf the `browser.privatebrowsing.autostart` preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.(CVE-2024-4767)\r\n\r\nWhen importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses.  This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.(CVE-2024-4769)\r\n\r\nOffscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.(CVE-2024-5693)\r\n\r\nMemory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.(CVE-2024-5700)",
+    "cves": [
+      {
+        "id": "CVE-2024-5700",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5700",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1616": {
+    "id": "openEuler-SA-2022-1616",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1616",
+    "title": "An update for mariadb is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon (mariadbd) and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and utilities.\r\n\r\nMariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nsave_window_function_values in MariaDB before 10.6.3 allows an application crash because of incorrect handling of with_window_func=True for a subquery.(CVE-2021-46658)\n\nMariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.(CVE-2021-46668)\n\nMariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193.(CVE-2022-24051)\r\n\nMariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16207.(CVE-2022-24050)\n\r\nMariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16191.(CVE-2022-24048)",
+    "cves": [
+      {
+        "id": "CVE-2022-24048",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24048",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1321": {
+    "id": "openEuler-SA-2024-1321",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1321",
+    "title": "An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\r\n\r\nSecurity Fix(es):\r\n\r\naiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-27305)",
+    "cves": [
+      {
+        "id": "CVE-2024-27305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27305",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1346": {
+    "id": "openEuler-SA-2024-1346",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1346",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: xiic: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in xiic_xfer and xiic_i2c_remove.\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in lpi2c_imx_master_enable.\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36782)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: usbhid: fix info leak in hid_submit_ctrl\r\n\r\nIn hid_submit_ctrl(), the way of calculating the report length doesn't\ntake into account that report->size can be zero. When running the\nsyzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to\ncalculate transfer_buffer_length as 16384. When this urb is passed to\nthe usb core layer, KMSAN reports an info leak of 16384 bytes.\r\n\r\nTo fix this, first modify hid_report_len() to account for the zero\nreport size case by using DIV_ROUND_UP for the division. Then, call it\nfrom hid_submit_ctrl().(CVE-2021-46906)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: footbridge: fix PCI interrupt mapping\r\n\r\nSince commit 30fdfb929e82 (\"PCI: Add a call to pci_assign_irq() in\npci_device_probe()\"), the PCI code will call the IRQ mapping function\nwhenever a PCI driver is probed. If these are marked as __init, this\ncauses an oops if a PCI driver is loaded or bound after the kernel has\ninitialised.(CVE-2021-46909)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc3: core: Do core softreset when switch mode\r\n\r\n\nAccording to the programming guide, to switch mode for DRD controller,\nthe driver needs to do the following.\r\n\r\nTo switch from device to host:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(host mode)\n3. Reset the host with USBCMD.HCRESET\n4. Then follow up with the initializing host registers sequence\r\n\r\nTo switch from host to device:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(device mode)\n3. Reset the device with DCTL.CSftRst\n4. Then follow up with the initializing registers sequence\r\n\r\nCurrently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of\nswitching from host to device. John Stult reported a lockup issue seen\nwith HiKey960 platform without these steps[1]. Similar issue is observed\nwith Ferry's testing platform[2].\r\n\r\nSo, apply the required steps along with some fixes to Yu Chen's and John\nStultz's version. The main fixes to their versions are the missing wait\nfor clocks synchronization before clearing GCTL.CoreSoftReset and only\napply DCTL.CSftRst when switching from host to device.\r\n\r\n[1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/\n[2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/(CVE-2021-46941)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nopenvswitch: fix stack OOB read while fragmenting IPv4 packets\r\n\r\nrunning openvswitch on kernels built with KASAN, it's possible to see the\nfollowing splat while testing fragmentation of IPv4 packets:\r\n\r\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888112fc713c by task handler2/1367\r\n\r\n CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n  dump_stack+0x92/0xc1\n  print_address_description.constprop.7+0x1a/0x150\n  kasan_report.cold.13+0x7f/0x111\n  ip_do_fragment+0x1b03/0x1f60\n  ovs_fragment+0x5bf/0x840 [openvswitch]\n  do_execute_actions+0x1bd5/0x2400 [openvswitch]\n  ovs_execute_actions+0xc8/0x3d0 [openvswitch]\n  ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch]\n  genl_family_rcv_msg_doit.isra.15+0x227/0x2d0\n  genl_rcv_msg+0x287/0x490\n  netlink_rcv_skb+0x120/0x380\n  genl_rcv+0x24/0x40\n  netlink_unicast+0x439/0x630\n  netlink_sendmsg+0x719/0xbf0\n  sock_sendmsg+0xe2/0x110\n  ____sys_sendmsg+0x5ba/0x890\n  ___sys_sendmsg+0xe9/0x160\n  __sys_sendmsg+0xd3/0x170\n  do_syscall_64+0x33/0x40\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f957079db07\n Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48\n RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07\n RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019\n RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730\n R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0\r\n\r\n The buggy address belongs to the page:\n page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\r\n\r\n addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame:\n  ovs_fragment+0x0/0x840 [openvswitch]\r\n\r\n this frame has 2 objects:\n  [32, 144) 'ovs_dst'\n  [192, 424) 'ovs_rt'\r\n\r\n Memory state around the buggy address:\n  ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00\n >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00\n                                         ^\n  ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00\r\n\r\nfor IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\r\n\r\n  ip_do_fragment()\n    ip_skb_dst_mtu()\n      ip_dst_mtu_maybe_forward()\n        ip_mtu_locked()\r\n\r\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin ovs_fragment(), similarly to what is done for IPv6 few lines below.(CVE-2021-46955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nethernet:enic: Fix a use after free bug in enic_hard_start_xmit\r\n\r\nIn enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside\nenic_queue_wq_skb, if some error happens, the skb will be freed\nby dev_kfree_skb(skb). But the freed skb is still used in\nskb_tx_timestamp(skb).\r\n\r\nMy patch makes enic_queue_wq_skb() return error and goto spin_unlock()\nincase of error. The solution is provided by Govind.\nSee https://lkml.org/lkml/2021/4/30/961.(CVE-2021-46998)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook\r\n\r\nThe commit 1879445dfa7b (\"perf/core: Set event's default\n::overflow_handler()\") set a default event->overflow_handler in\nperf_event_alloc(), and replace the check event->overflow_handler with\nis_default_overflow_handler(), but one is missing.\r\n\r\nCurrently, the bp->overflow_handler can not be NULL. As a result,\nenable_single_step() is always not invoked.\r\n\r\nComments from Zhen Lei:\r\n\r\n https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/(CVE-2021-47006)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send\r\n\r\nIn emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).\nIf some error happens in emac_tx_fill_tpd(), the skb will be freed via\ndev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().\nBut the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).\r\n\r\nAs i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,\nthus my patch assigns skb->len to 'len' before the possible free and\nuse 'len' instead of skb->len later.(CVE-2021-47013)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbnxt_en: Fix RX consumer index logic in the error path.\r\n\r\nIn bnxt_rx_pkt(), the RX buffers are expected to complete in order.\nIf the RX consumer index indicates an out of order buffer completion,\nit means we are hitting a hardware bug and the driver will abort all\nremaining RX packets and reset the RX ring.  The RX consumer index\nthat we pass to bnxt_discard_rx() is not correct.  We should be\npassing the current index (tmp_raw_cons) instead of the old index\n(raw_cons).  This bug can cause us to be at the wrong index when\ntrying to abort the next RX packet.  It can crash like this:\r\n\r\n #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007\n #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232\n #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e\n #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978\n #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0\n #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e\n #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24\n #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e\n #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12\n #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5\n    [exception RIP: bnxt_rx_pkt+237]\n    RIP: ffffffffc0259cdd  RSP: ffff9bbcdf5c3d98  RFLAGS: 00010213\n    RAX: 000000005dd8097f  RBX: ffff9ba4cb11b7e0  RCX: ffffa923cf6e9000\n    RDX: 0000000000000fff  RSI: 0000000000000627  RDI: 0000000000001000\n    RBP: ffff9bbcdf5c3e60   R8: 0000000000420003   R9: 000000000000020d\n    R10: ffffa923cf6ec138  R11: ffff9bbcdf5c3e83  R12: ffff9ba4d6f928c0\n    R13: ffff9ba4cac28080  R14: ffff9ba4cb11b7f0  R15: ffff9ba4d5a30000\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018(CVE-2021-47015)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvsock/virtio: free queued packets when closing socket\r\n\r\nAs reported by syzbot [1], there is a memory leak while closing the\nsocket. We partially solved this issue with commit ac03046ece2b\n(\"vsock/virtio: free packets during the socket release\"), but we\nforgot to drain the RX queue when the socket is definitely closed by\nthe scheduled work.\r\n\r\nTo avoid future issues, let's use the new virtio_transport_remove_sock()\nto drain the RX queue before removing the socket from the af_vsock lists\ncalling vsock_remove_sock().\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9(CVE-2021-47024)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: fix overflows checks in provide buffers\r\n\r\nColin reported before possible overflow and sign extension problems in\nio_provide_buffers_prep(). As Linus pointed out previous attempt did nothing\nuseful, see d81269fecb8ce (\"io_uring: fix provide_buffers sign extension\").\r\n\r\nDo that with help of check_<op>_overflow helpers. And fix struct\nio_provide_buf::len type, as it doesn't make much sense to keep it\nsigned.(CVE-2021-47040)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nDrivers: hv: vmbus: Use after free in __vmbus_open()\r\n\r\nThe \"open_info\" variable is added to the &vmbus_connection.chn_msg_list,\nbut the error handling frees \"open_info\" without removing it from the\nlist.  This will result in a use after free.  First remove it from the\nlist, and then free it.(CVE-2021-47049)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet/pep: refuse to enable an unbound pipe\r\n\r\nThis ioctl() implicitly assumed that the socket was already bound to\na valid local socket name, i.e. Phonet object. If the socket was not\nbound, two separate problems would occur:\r\n\r\n1) We'd send an pipe enablement request with an invalid source object.\n2) Later socket calls could BUG on the socket unexpectedly being\n   connected yet not bound to a valid object.(CVE-2021-47086)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: add check that partition length needs to be aligned with block size\r\n\r\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.(CVE-2023-52458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\r\n\r\nsyzbot reported the following uninit-value access issue:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\r\n\r\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\r\n\r\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\r\n\r\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.(CVE-2023-52528)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix slab-out-of-bounds Read in dtSearch\r\n\r\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\r\n\r\nDave:\nSet return code to -EIO(CVE-2023-52602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUBSAN: array-index-out-of-bounds in dtSplitRoot\r\n\r\nSyzkaller reported the following issue:\r\n\r\noop0: detected capacity change from 0 to 32768\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n </TASK>\r\n\r\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\r\n\r\nSyzkaller reported the following issue:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\nKernel Offset: disabled\nRebooting in 86400 seconds..\r\n\r\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\r\n\r\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52604)\r\n\r\nA race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24855)",
+    "cves": [
+      {
+        "id": "CVE-2024-24855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1515": {
+    "id": "openEuler-SA-2023-1515",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1515",
+    "title": "An update for python-werkzeug is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "*werkzeug* German noun: \"tool\". Etymology: *werk* (\"work\"), *zeug* (\"stuff\") Werkzeug is a comprehensive `WSGI`_ web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes:\n-   An interactive debugger that allows inspecting stack traces and source code in the browser with an interactive interpreter for any frame in the stack. -   A full-featured request object with objects to interact with headers, query args, form data, files, and cookies. -   A response object that can wrap other WSGI applications and handle streaming data. -   A routing system for matching URLs to endpoints and generating URLs for endpoints, with an extensible system for capturing variables from URLs. -   HTTP utilities to handle entity tags, cache control, dates, user agents, cookies, files, and more. -   A threaded WSGI server for use while developing applications locally. -   A test client for simulating HTTP requests during testing without requiring running a server. Werkzeug doesn't enforce any dependencies. It is up to the developer to choose a template engine, database adapter, and even how to handle requests. It can be used to build all sorts of end user applications\nsuch as blogs, wikis, or bulletin boards. `Flask`_ wraps Werkzeug, using it to handle the details of WSGI while providing more structure and patterns for defining powerful applications.\n\nSecurity Fix(es):\n\nWerkzeug is a comprehensive WSGI web application library. Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.(CVE-2023-23934)\n\nWerkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.(CVE-2023-25577)",
+    "cves": [
+      {
+        "id": "CVE-2023-25577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25577",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1321": {
+    "id": "openEuler-SA-2023-1321",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1321",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices,and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\r\n\r\nSecurity Fix(es):\r\n\r\nBLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2857)\r\n\r\nNetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2858)\r\n\r\nCandump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2855)\r\n\r\nA flaw was found in the IEEE C37.118 Synchrophasor dissector of Wireshark. This issue occurs when decoding malformed packets from a pcap file or from the network, causing a buffer overflow, resulting in a denial of service.(CVE-2023-0668)\r\n\r\nVMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2856)\r\n\r\nGDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file(CVE-2023-2879)",
+    "cves": [
+      {
+        "id": "CVE-2023-2879",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2879",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1175": {
+    "id": "openEuler-SA-2021-1175",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1175",
+    "title": "An update for rubygem-redcarpet is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A fast, safe and extensible Markdown to (X)HTML parser.\r\n\r\nSecurity Fix(es):\r\n\r\nRedcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.(CVE-2020-26298)",
+    "cves": [
+      {
+        "id": "CVE-2020-26298",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26298",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1600": {
+    "id": "openEuler-SA-2022-1600",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1600",
+    "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.(CVE-2019-12973)\r\n\r\nA heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.(CVE-2021-3575)",
+    "cves": [
+      {
+        "id": "CVE-2021-3575",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3575",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1161": {
+    "id": "openEuler-SA-2024-1161",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1161",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.(CVE-2023-51714)",
+    "cves": [
+      {
+        "id": "CVE-2023-51714",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51714",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1540": {
+    "id": "openEuler-SA-2023-1540",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1540",
+    "title": "An update for clamav is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans,\nviruses, malware & other malicious threats. The main purpose of this software is\nthe integration with mail servers (attachment scanning). The package provides a\nflexible and scalable multi-threaded daemon, a command line scanner, and a tool\nfor automatic updating via Internet. The programs are based on a shared library\ndistributed with the Clam AntiVirus package, which you can use with your own software.\nhe virus database is based on the virus database from OpenAntiVirus, but contains\nadditional signatures and is KEPT UP TO DATE.\n\nSecurity Fix(es):\n\nA vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\n\n This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.\n\n For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197)",
+    "cves": [
+      {
+        "id": "CVE-2023-20197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1447": {
+    "id": "openEuler-SA-2023-1447",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1447",
+    "title": "An update for doxygen is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Doxygen is the de facto standard tool for generating documentation from annotated C++ sources, but it also supports other popular programming languages such as C, Objective-C, C#, PHP, Java, Python, IDL (Corba, Microsoft, and UNO/OpenOffice flavors), Fortran, VHDL, Tcl, and to some extent D.\n\nSecurity Fix(es):\n\nCross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.(CVE-2020-23064)",
+    "cves": [
+      {
+        "id": "CVE-2020-23064",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23064",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1926": {
+    "id": "openEuler-SA-2023-1926",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1926",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \\p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.(CVE-2023-47100)",
+    "cves": [
+      {
+        "id": "CVE-2023-47100",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1302": {
+    "id": "openEuler-SA-2023-1302",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1302",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.(CVE-2023-32067)",
+    "cves": [
+      {
+        "id": "CVE-2023-32067",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1213": {
+    "id": "openEuler-SA-2021-1213",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1213",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).(CVE-2021-2163)\r\n\r\nVulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-2161)",
+    "cves": [
+      {
+        "id": "CVE-2021-2161",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2161",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1428": {
+    "id": "openEuler-SA-2021-1428",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1428",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\ncontainerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.(CVE-2021-41103)",
+    "cves": [
+      {
+        "id": "CVE-2021-41103",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1251": {
+    "id": "openEuler-SA-2021-1251",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1251",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \r\n\r\nSecurity Fix(es):\r\n\r\nAn unlimited recursion in DxeCore in EDK II.(CVE-2021-28210)",
+    "cves": [
+      {
+        "id": "CVE-2021-28210",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28210",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1027": {
+    "id": "openEuler-SA-2024-1027",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1027",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1898": {
+    "id": "openEuler-SA-2022-1898",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1898",
+    "title": "An update for intel-sgx-ssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications. The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose cryptography library. Supported OpenSSL version is 1.1.1l.\r\n\r\nSecurity Fix(es):\r\n\r\nThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292)\r\n\r\nIn addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068)\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)",
+    "cves": [
+      {
+        "id": "CVE-2022-0778",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1416": {
+    "id": "openEuler-SA-2023-1416",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1416",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Container cluster management.\n\nSecurity Fix(es):\n\nUsers authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.(CVE-2022-3162)\n\nUsers may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.(CVE-2022-3294)\n\nA security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.(CVE-2023-2431)\n\nUsers may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n(CVE-2023-2727)\n\nUsers may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n(CVE-2023-2728)",
+    "cves": [
+      {
+        "id": "CVE-2023-2728",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2728",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1067": {
+    "id": "openEuler-SA-2021-1067",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1067",
+    "title": "An update for python-bottle is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It is distributed as a single file module and has no dependencies other than the Python Standard Library.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.(CVE-2020-28473)",
+    "cves": [
+      {
+        "id": "CVE-2020-28473",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28473",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1159": {
+    "id": "openEuler-SA-2023-1159",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1159",
+    "title": "An update for pesign is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.(CVE-2022-3560)",
+    "cves": [
+      {
+        "id": "CVE-2022-3560",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3560",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1629": {
+    "id": "openEuler-SA-2024-1629",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1629",
+    "title": "An update for nautilus is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "It's easier to manage your files for the GNOME desktop. Ability to browse directories on local and remote systems. preview folders and launch related programs. It is also handle icons on the GNOME desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.(CVE-2022-37290)",
+    "cves": [
+      {
+        "id": "CVE-2022-37290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1069": {
+    "id": "openEuler-SA-2023-1069",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1069",
+    "title": "An update for tmux is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in function window_pane_set_event in window.c in tmux 3.0 thru 3.3 and later, allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47016)",
+    "cves": [
+      {
+        "id": "CVE-2022-47016",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47016",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1563": {
+    "id": "openEuler-SA-2023-1563",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1563",
+    "title": "An update for perl is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development.Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.(CVE-2022-48522)",
+    "cves": [
+      {
+        "id": "CVE-2022-48522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1585": {
+    "id": "openEuler-SA-2022-1585",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1585",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nRat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.(CVE-2022-23772)\r\n\r\nCurve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.(CVE-2022-23806)",
+    "cves": [
+      {
+        "id": "CVE-2022-23806",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23806",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1679": {
+    "id": "openEuler-SA-2022-1679",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1679",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\nSecurity Fix(es):\n\nA DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.(CVE-2021-3750)",
+    "cves": [
+      {
+        "id": "CVE-2021-3750",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3750",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1127": {
+    "id": "openEuler-SA-2024-1127",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1127",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Security Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX).  Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and  21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2024-20922)\r\n\r\n(CVE-2024-20923)\r\n\r\n(CVE-2024-20925)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1593": {
+    "id": "openEuler-SA-2024-1593",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1593",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nnscd: Stack-based buffer overflow in netgroup cache\r\n\r\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow.  This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\n(CVE-2024-33599)\r\n\r\nnscd: Null pointer crashes after notfound response\r\n\r\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference.  This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33600)\r\n\r\nnscd: netgroup cache may terminate daemon on memory allocation failure\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients.  The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33601)\r\n\r\nnscd: netgroup cache assumes NSS callback uses in-buffer strings\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33602)",
+    "cves": [
+      {
+        "id": "CVE-2024-33602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1796": {
+    "id": "openEuler-SA-2024-1796",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1796",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: Set page uptodate in the correct place\r\n\r\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data.  Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.(CVE-2024-35821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkprobes: Fix possible use-after-free issue on kprobe registration\r\n\r\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\r\n\r\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\r\n\r\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.(CVE-2024-35955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\r\n\r\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\r\n\r\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\r\n\r\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.(CVE-2024-36974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\r\n\r\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\r\n\r\n  alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n  ...\n  delivered_ce <<= (10 - dctcp_shift_g);\r\n\r\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\r\n\r\n  memcpy((void*)0x20000080,\n         \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n                /*flags=*/2ul, /*mode=*/0ul);\n  memcpy((void*)0x20000000, \"100\\000\", 4);\n  syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\r\n\r\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\r\n\r\nWith this patch:\r\n\r\n  # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  10\n  # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  -bash: echo: write error: Invalid argument\r\n\r\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nof: module: add buffer overflow check in of_modalias()\r\n\r\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).(CVE-2024-38541)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Add a timeout to acquire the command queue semaphore\r\n\r\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\r\n\r\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion(CVE-2024-38556)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\r\n\r\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\r\n\r\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.(CVE-2024-38564)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nftrace: Fix possible use-after-free issue in ftrace_location()\r\n\r\nKASAN reports a bug:\r\n\r\n  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n  Read of size 8 at addr ffff888141d40010 by task insmod/424\n  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+\n  [...]\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x68/0xa0\n   print_report+0xcf/0x610\n   kasan_report+0xb5/0xe0\n   ftrace_location+0x90/0x120\n   register_kprobe+0x14b/0xa40\n   kprobe_init+0x2d/0xff0 [kprobe_example]\n   do_one_initcall+0x8f/0x2d0\n   do_init_module+0x13a/0x3c0\n   load_module+0x3082/0x33d0\n   init_module_from_file+0xd2/0x130\n   __x64_sys_finit_module+0x306/0x440\n   do_syscall_64+0x68/0x140\n   entry_SYSCALL_64_after_hwframe+0x71/0x79\r\n\r\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\r\n\r\n           CPU1                       |      CPU2\n  register_kprobes() {                | delete_module() {\n    check_kprobe_address_safe() {     |\n      arch_check_ftrace_location() {  |\n        ftrace_location() {           |\n          lookup_rec() // USE!        |   ftrace_release_mod() // Free!\r\n\r\nTo fix this issue:\n  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n  2. Use ftrace_location_range() instead of lookup_rec() in\n     ftrace_location();\n  3. Call synchronize_rcu() before freeing any ftrace pages both in\n     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().(CVE-2024-38588)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: prevent xattr node from overflowing the eraseblock\r\n\r\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\r\n\r\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\r\n\r\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\r\n\r\nThis breaks the filesystem and can lead to KASAN crashes such as:\r\n\r\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-38599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use variable length array instead of fixed size\r\n\r\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)(CVE-2024-38623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\r\n\r\nFor example, in the expression:\n\tvbo = 2 * vbo + skip(CVE-2024-38624)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\r\n\r\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\r\n\r\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.(CVE-2024-38630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ap: Fix crash in AP internal function modify_bitmap()\r\n\r\nA system crash like this\r\n\r\n  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n  Fault in home space mode while using kernel ASCE.\n  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n  Oops: 0038 ilc:3 [#1] PREEMPT SMP\n  Modules linked in: mlx5_ib ...\n  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n  Hardware name: IBM 3931 A01 704 (LPAR)\n  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a\n  0000014b75e7b600: 18b2                lr      %r11,%r2\n  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616\n  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)\n  0000014b75e7b60c: a7680001            lhi     %r6,1\n  0000014b75e7b610: 187b                lr      %r7,%r11\n  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654\n  0000014b75e7b616: 18e9                lr      %r14,%r9\n  Call Trace:\n  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n  [<0000014b75e7b758>] apmask_store+0x68/0x140\n  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n  [<0000014b75598524>] vfs_write+0x1b4/0x448\n  [<0000014b7559894c>] ksys_write+0x74/0x100\n  [<0000014b7618a440>] __do_syscall+0x268/0x328\n  [<0000014b761a3558>] system_call+0x70/0x98\n  INFO: lockdep is turned off.\n  Last Breaking-Event-Address:\n  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\r\n\r\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\r\n\r\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.(CVE-2024-38661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: Add winch to winch_handlers before registering winch IRQ\r\n\r\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\r\n\r\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\r\n\r\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.(CVE-2024-39292)",
+    "cves": [
+      {
+        "id": "CVE-2024-39292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1784": {
+    "id": "openEuler-SA-2022-1784",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1784",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nApache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.(CVE-2022-28330)",
+    "cves": [
+      {
+        "id": "CVE-2022-28330",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28330",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1549": {
+    "id": "openEuler-SA-2024-1549",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1549",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.(CVE-2024-31047)",
+    "cves": [
+      {
+        "id": "CVE-2024-31047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31047",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1632": {
+    "id": "openEuler-SA-2024-1632",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1632",
+    "title": "An update for nautilus is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "It's easier to manage your files for the GNOME desktop. Ability to browse directories on local and remote systems. preview folders and launch related programs. It is also handle icons on the GNOME desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.(CVE-2022-37290)",
+    "cves": [
+      {
+        "id": "CVE-2022-37290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1683": {
+    "id": "openEuler-SA-2024-1683",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1683",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.(CVE-2024-4418)",
+    "cves": [
+      {
+        "id": "CVE-2024-4418",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4418",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1445": {
+    "id": "openEuler-SA-2024-1445",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1445",
+    "title": "An update for libgsasl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The library includes support for the SASL framework and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, and NTLM mechanisms.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469)",
+    "cves": [
+      {
+        "id": "CVE-2022-2469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1556": {
+    "id": "openEuler-SA-2022-1556",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1556",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.(CVE-2020-7067)\r\n\r\nWhen using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.(CVE-2019-11038)\r\n\r\nFunction iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.(CVE-2019-11039)\r\n\r\nWhen PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11040)",
+    "cves": [
+      {
+        "id": "CVE-2019-11040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11040",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1475": {
+    "id": "openEuler-SA-2024-1475",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1475",
+    "title": "An update for apache-mime4j is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
+    "cves": [
+      {
+        "id": "CVE-2024-21742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1190": {
+    "id": "openEuler-SA-2023-1190",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1190",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\r\n\r\nSecurity Fix(es):\r\n\r\nISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 and 3.6.0 to 3.6.11 allows denial of service via packet injection or crafted capture file(CVE-2023-1161)",
+    "cves": [
+      {
+        "id": "CVE-2023-1161",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1161",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2044": {
+    "id": "openEuler-SA-2022-2044",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2044",
+    "title": "An update for exiv2 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.(CVE-2019-13108)\r\n\r\nThere is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.(CVE-2019-13504)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-37616)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-37615)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. ### Patches The bug is fixed in version v0.27.5. ### References Regression test and bug fix: #1739 ### For more information Please see our [security policy](https://github.com/Exiv2/exiv2/security/policy) for information about Exiv2 security.(CVE-2021-32815)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.(CVE-2021-37623)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.(CVE-2021-37622)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.(CVE-2021-34334)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.(CVE-2021-37620)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.(CVE-2021-37621)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception (FPE) due to an integer divide by zero was found in Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-34335)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.(CVE-2021-37618)\r\n\r\nA flaw was found in exiv2. A integer wraparound in the CrwMap:encode0x1810 function leads to memcpy call with a very large size allowing an attacker, who can provide a malicious image, to crash an application which uses the exiv2 library. The highest threat from this vulnerability is to service availability.(CVE-2021-31292)\n\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.5.(CVE-2021-37619)",
+    "cves": [
+      {
+        "id": "CVE-2021-37619",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37619",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1632": {
+    "id": "openEuler-SA-2023-1632",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1632",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nURL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.\r\n\r\nThe vulnerability is limited to the ROOT (default) web application.(CVE-2023-41080)",
+    "cves": [
+      {
+        "id": "CVE-2023-41080",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1961": {
+    "id": "openEuler-SA-2022-1961",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1961",
+    "title": "An update for pcs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the \"hacluster\" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.(CVE-2022-2735)",
+    "cves": [
+      {
+        "id": "CVE-2022-2735",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2735",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1744": {
+    "id": "openEuler-SA-2023-1744",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1744",
+    "title": "An update for libcue is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libcue is intended for parsing a so-called cue sheet from a char string or a file pointer. For handling of the parsed data a convenient API is available.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.(CVE-2023-43641)",
+    "cves": [
+      {
+        "id": "CVE-2023-43641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43641",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1864": {
+    "id": "openEuler-SA-2023-1864",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1864",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.(CVE-2023-47038)",
+    "cves": [
+      {
+        "id": "CVE-2023-47038",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1256": {
+    "id": "openEuler-SA-2023-1256",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1256",
+    "title": "An update for protobuf-c is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format.\r\n\r\nSecurity Fix(es):\r\n\r\nprotobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.(CVE-2022-48468)",
+    "cves": [
+      {
+        "id": "CVE-2022-48468",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48468",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1935": {
+    "id": "openEuler-SA-2023-1935",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1935",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": ".\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.(CVE-2023-39326)\r\n\r\nUsing go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).(CVE-2023-45285)",
+    "cves": [
+      {
+        "id": "CVE-2023-45285",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45285",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1001": {
+    "id": "openEuler-SA-2023-1001",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1001",
+    "title": "An update for patchelf is now available for openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "PatchELF is a simple utility for modifying an existing ELF executable or library.  It can change the dynamic loader (\"ELF interpreter\") of an executable and change the RPATH of an executable or library.\r\n\r\nSecurity Fix(es):\r\n\r\nPatchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc.(CVE-2022-44940)",
+    "cves": [
+      {
+        "id": "CVE-2022-44940",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44940",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1964": {
+    "id": "openEuler-SA-2022-1964",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1964",
+    "title": "An update for mod_security_crs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The base rules are provided for mod_security by this package.\r\n\r\nSecurity Fix(es):\r\n\r\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type \"charset\" names and therefore bypassing the configurable CRS Content-Type header \"charset\" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.(CVE-2022-39955)\n\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).(CVE-2022-39956)",
+    "cves": [
+      {
+        "id": "CVE-2022-39956",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39956",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1045": {
+    "id": "openEuler-SA-2024-1045",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1045",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004)\r\n\r\nA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918)",
+    "cves": [
+      {
+        "id": "CVE-2023-6918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1214": {
+    "id": "openEuler-SA-2021-1214",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1214",
+    "title": "An update for rust is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the same string.(CVE-2020-36317)\r\n\r\nIn the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.(CVE-2021-28875)\r\n\r\nIn the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.(CVE-2021-28878)\r\n\r\nIn the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.(CVE-2021-28877)\r\n\r\nIn the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait.(CVE-2021-28876)\r\n\r\nIn the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again.(CVE-2021-28879)\r\n\r\nIn the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.(CVE-2020-36318)\r\n\r\nIn the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.(CVE-2020-36323)",
+    "cves": [
+      {
+        "id": "CVE-2020-36323",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36323",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1051": {
+    "id": "openEuler-SA-2021-1051",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1051",
+    "title": "An update for jackson-databind is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36182)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.(CVE-2020-36183)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.(CVE-2020-36187)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36181)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.(CVE-2020-36186)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36180)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.(CVE-2020-36188)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.(CVE-2020-36184)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.(CVE-2020-36179)\r\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.(CVE-2020-36189)\r\n\r\nA flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20190)",
+    "cves": [
+      {
+        "id": "CVE-2021-20190",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1595": {
+    "id": "openEuler-SA-2024-1595",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1595",
+    "title": "An update for giflib is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633)",
+    "cves": [
+      {
+        "id": "CVE-2021-40633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1227": {
+    "id": "openEuler-SA-2023-1227",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1227",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.This package Provides python version 3.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.(CVE-2023-24329)",
+    "cves": [
+      {
+        "id": "CVE-2023-24329",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1647": {
+    "id": "openEuler-SA-2023-1647",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1647",
+    "title": "An update for mdadm is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "mdadm is a tool for managing Linux Software RAID arrays. It can create, assemble, report on, and monitor arrays. It can also move spares between raid arrays when needed.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled resource consumption in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a priviledged user to potentially enable denial of service via local access.(CVE-2023-28938)",
+    "cves": [
+      {
+        "id": "CVE-2023-28938",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28938",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1934": {
+    "id": "openEuler-SA-2023-1934",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1934",
+    "title": "An update for gstreamer1-plugins-good is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GStreamer is a streaming media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related.  Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plugins.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the FLAC parser when handling malformed image tags in GStreamer versions before 1.22.4 / 1.20.7. \r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0001.html(CVE-2023-37327)",
+    "cves": [
+      {
+        "id": "CVE-2023-37327",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37327",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1704": {
+    "id": "openEuler-SA-2024-1704",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1704",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22;   Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2024-21011)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21012)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21068)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2024-21085)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21094)",
+    "cves": [
+      {
+        "id": "CVE-2024-21094",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21094",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1610": {
+    "id": "openEuler-SA-2023-1610",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1610",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369)",
+    "cves": [
+      {
+        "id": "CVE-2023-37369",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37369",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1237": {
+    "id": "openEuler-SA-2021-1237",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1237",
+    "title": "An update for gstreamer-plugins-base is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GStreamer is a pipeline-based multimedia framework that links together a wide variety of media processing systems to complete complex workflows, based on graphs of filters which operate on media data. The formats and processes can be changed in plugins since its plugin-based architecture. This package contains a set of well-maintained base plug-ins and wrapper scripts for the command-line tools for the base plugins.\r\n\r\nSecurity Fix(es):\r\n\r\nGStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.(CVE-2021-3522)",
+    "cves": [
+      {
+        "id": "CVE-2021-3522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1267": {
+    "id": "openEuler-SA-2024-1267",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1267",
+    "title": "An update for glusterfs is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over TCP/IP interconnect into one large parallel network filesystem. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility. It borrows a powerful concept called Translators from GNU Hurd kernel. Much of the code in GlusterFS is in user space and easily manageable.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.(CVE-2022-48340)",
+    "cves": [
+      {
+        "id": "CVE-2022-48340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1462": {
+    "id": "openEuler-SA-2024-1462",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1462",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nArtifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).(CVE-2020-36773)",
+    "cves": [
+      {
+        "id": "CVE-2020-36773",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36773",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1500": {
+    "id": "openEuler-SA-2024-1500",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1500",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\r\n\r\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.(CVE-2023-52441)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\r\n\r\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\r\n\r\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\r\n\r\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.(CVE-2023-52486)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\r\n\r\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\r\n\r\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\r\n\r\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\r\n\r\nCPU0                  CPU1\nmtk_jpeg_dec_...    |\n  start worker\t    |\n                    |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove     |\n  v4l2_m2m_release  |\n    kfree(m2m_dev); |\n                    |\n                    | v4l2_m2m_get_curr_priv\n                    |   m2m_dev->curr_ctx //use\r\n\r\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\r\n\r\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.(CVE-2023-52491)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fix NULL pointer in channel unregistration function\r\n\r\n__dma_async_device_channel_register() can fail. In case of failure,\nchan->local is freed (with free_percpu()), and chan->local is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[    1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[    1.484499] Call trace:\n[    1.486930]  device_del+0x40/0x394\n[    1.490314]  device_unregister+0x20/0x7c\n[    1.494220]  __dma_async_device_channel_unregister+0x68/0xc0\r\n\r\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan->local is not NULL.\r\n\r\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.(CVE-2023-52492)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Drop chan lock before queuing buffers\r\n\r\nEnsure read and write locks for the channel are not taken in succession by\ndropping the read lock from parse_xfer_event() such that a callback given\nto client can potentially queue buffers and acquire the write lock in that\nprocess. Any queueing of buffers should be done without channel read lock\nacquired as it can result in multiple locks and a soft lockup.\r\n\r\n[mani: added fixes tag and cc'ed stable](CVE-2023-52493)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Add alignment check for event ring read pointer\r\n\r\nThough we do check the event ring read pointer by \"is_valid_ring_ptr\"\nto make sure it is in the buffer range, but there is another risk the\npointer may be not aligned.  Since we are expecting event ring elements\nare 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer\ncould lead to multiple issues like DoS or ring buffer memory corruption.\r\n\r\nSo add a alignment check for event ring read pointer.(CVE-2023-52494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM: sleep: Fix possible deadlocks in core system-wide PM code\r\n\r\nIt is reported that in low-memory situations the system-wide resume core\ncode deadlocks, because async_schedule_dev() executes its argument\nfunction synchronously if it cannot allocate memory (and not only in\nthat case) and that function attempts to acquire a mutex that is already\nheld.  Executing the argument function synchronously from within\ndpm_async_fn() may also be problematic for ordering reasons (it may\ncause a consumer device's resume callback to be invoked before a\nrequisite supplier device's one, for example).\r\n\r\nAddress this by changing the code in question to use\nasync_schedule_dev_nocall() for scheduling the asynchronous\nexecution of device suspend and resume functions and to directly\nrun them synchronously if async_schedule_dev_nocall() returns false.(CVE-2023-52498)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\r\n\r\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\r\n\r\n    kref_put(&sess->refcount, destroy_session);\r\n\r\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\r\n\r\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.(CVE-2023-52503)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/alternatives: Disable KASAN in apply_alternatives()\r\n\r\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\r\n\r\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\r\n\r\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\r\n\r\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\r\n\r\nFix it for real by disabling KASAN while the kernel is patching alternatives.\r\n\r\n[ mingo: updated the changelog ](CVE-2023-52504)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: llcp: Add lock when modifying device list\r\n\r\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.(CVE-2023-52524)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: 8250_port: Check IRQ data before use\r\n\r\nIn case the leaf driver wants to use IRQ polling (irq = 0) and\nIIR register shows that an interrupt happened in the 8250 hardware\nthe IRQ data can be NULL. In such a case we need to skip the wake\nevent as we came to this path from the timer interrupt and quite\nlikely system is already awake.\r\n\r\nWithout this fix we have got an Oops:\r\n\r\n    serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A\n    ...\n    BUG: kernel NULL pointer dereference, address: 0000000000000010\n    RIP: 0010:serial8250_handle_irq+0x7c/0x240\n    Call Trace:\n     ? serial8250_handle_irq+0x7c/0x240\n     ? __pfx_serial8250_timeout+0x10/0x10(CVE-2023-52567)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nteam: fix null-ptr-deref when team device type is changed\r\n\r\nGet a null-ptr-deref bug as follows with reproducer [1].\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n <TASK>\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\r\n\r\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\r\n\r\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\r\n\r\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.(CVE-2023-52574)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52575)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2023-52607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\r\n\r\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\r\n\r\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\r\n\r\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\r\n\r\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\r\n\r\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\r\n\r\nAdd a consistency check to validate such condition in the A2P ISR.(CVE-2023-52608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\r\n\r\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\r\n\r\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\r\n\r\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\r\n\r\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com(CVE-2023-52617)\r\n\r\nA null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.(CVE-2023-7042)\r\n\r\nA race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix global oob in ksmbd_nl_policy\r\n\r\nSimilar to a reported issue (check the commit b33fb5b801c6 (\"net:\nqualcomm: rmnet: fix global oob in rmnet_policy\"), my local fuzzer finds\nanother global out-of-bounds read for policy ksmbd_nl_policy. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810\r\n\r\nCPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n __nlmsg_parse include/net/netlink.h:748 [inline]\n genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565\n genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdd66a8f359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003\nRBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n ksmbd_nl_policy+0x100/0xa80\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9\n                   ^\n ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05\n ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9\n==================================================================\r\n\r\nTo fix it, add a placeholder named __KSMBD_EVENT_MAX and let\nKSMBD_EVENT_MAX to be its original value - 1 according to what other\nnetlink families do. Also change two sites that refer the\nKSMBD_EVENT_MAX to correct value.(CVE-2024-26608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\r\n\r\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\r\n\r\n- run nginx/wrk test:\n  smc_run nginx\n  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>\r\n\r\n- continuously dump SMC-D connections in parallel:\n  watch -n 1 'smcss -D'\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE      6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n  <TASK>\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x66/0x150\n  ? exc_page_fault+0x69/0x140\n  ? asm_exc_page_fault+0x26/0x30\n  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n  ? __kmalloc_node_track_caller+0x35d/0x430\n  ? __alloc_skb+0x77/0x170\n  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n  smc_diag_dump+0x26/0x60 [smc_diag]\n  netlink_dump+0x19f/0x320\n  __netlink_dump_start+0x1dc/0x300\n  smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n  sock_diag_rcv_msg+0x121/0x140\n  ? __pfx_sock_diag_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x5a/0x110\n  sock_diag_rcv+0x28/0x40\n  netlink_unicast+0x22a/0x330\n  netlink_sendmsg+0x1f8/0x420\n  __sock_sendmsg+0xb0/0xc0\n  ____sys_sendmsg+0x24e/0x300\n  ? copy_msghdr_from_user+0x62/0x80\n  ___sys_sendmsg+0x7c/0xd0\n  ? __do_fault+0x34/0x160\n  ? do_read_fault+0x5f/0x100\n  ? do_fault+0xb0/0x110\n  ? __handle_mm_fault+0x2b0/0x6c0\n  __sys_sendmsg+0x4d/0x80\n  do_syscall_64+0x69/0x180\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.(CVE-2024-26615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\r\n\r\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\r\n\r\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\r\n\r\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard->channel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard->channel-> //USE\r\n\r\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.(CVE-2024-26654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: fix use-after-free bug\r\n\r\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.\nFor example the following code:\r\n\r\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\r\n\r\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\r\n\r\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into  amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\r\n\r\n[  +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[  +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[  +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[  +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[  +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[  +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[  +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[  +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[  +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[  +0.000011] FS:  00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[  +0.000012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[  +0.000010] Call Trace:\n[  +0.000006]  <TASK>\n[  +0.000007]  ? show_regs+0x6a/0x80\n[  +0.000018]  ? __warn+0xa5/0x1b0\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000018]  ? report_bug+0x24a/0x290\n[  +0.000022]  ? handle_bug+0x46/0x90\n[  +0.000015]  ? exc_invalid_op+0x19/0x50\n[  +0.000016]  ? asm_exc_invalid_op+0x1b/0x20\n[  +0.000017]  ? kasan_save_stack+0x26/0x50\n[  +0.000017]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000020]  ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[  +0.000017]  ? kasan_save_alloc_info+0x1e/0x30\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __kasan_kmalloc+0xb1/0xc0\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? __kasan_check_read+0x11/0x20\n[  +0.000020]  amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[  +0.004695]  amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[  +0.004534]  ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[  +0.004291]  ? do_syscall_64+0x5f/0xe0\n[  +0.000023]  ? srso_return_thunk+0x5/0x5f\n[  +0.000017]  drm_gem_object_free+0x3b/0x50 [drm]\n[  +0.000489]  amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[  +0.004295]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004270]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __this_cpu_preempt_check+0x13/0x20\n[  +0.000015]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? sysvec_apic_timer_interrupt+0x57/0xc0\n[  +0.000020]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[  +0.000022]  ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[  +0.000496]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004272]  ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[  +0.000492]  drm_ioctl_kernel+0x140/0x1f0 [drm]\n[  +0.000497]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004297]  ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---(CVE-2024-26656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\r\n\r\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\r\n\r\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio.  Thus causing a deadlock.\r\n\r\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty.  Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed.  Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\r\n\r\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\r\n\r\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.(CVE-2024-26696)",
+    "cves": [
+      {
+        "id": "CVE-2024-26696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1268": {
+    "id": "openEuler-SA-2024-1268",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1268",
+    "title": "An update for glusterfs is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over TCP/IP interconnect into one large parallel network filesystem. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility. It borrows a powerful concept called Translators from GNU Hurd kernel. Much of the code in GlusterFS is in user space and easily manageable.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.(CVE-2022-48340)",
+    "cves": [
+      {
+        "id": "CVE-2022-48340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1233": {
+    "id": "openEuler-SA-2023-1233",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1233",
+    "title": "An update for samba is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.(CVE-2023-0225)\r\n\r\nThe Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.(CVE-2023-0922)",
+    "cves": [
+      {
+        "id": "CVE-2023-0922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0922",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1022": {
+    "id": "openEuler-SA-2023-1022",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1022",
+    "title": "An update for freeradius is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.\r\n\r\nReferences:\r\n\r\nhttps://freeradius.org/security/\r\n\r\nUpstream fix:\r\n\r\nhttps://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a(CVE-2022-41860)\r\n\r\nA malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.\r\n\r\nReferences:\r\n\r\nhttps://freeradius.org/security/\r\n\r\nUpstream fix:\r\n\r\nhttps://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e(CVE-2022-41861)",
+    "cves": [
+      {
+        "id": "CVE-2022-41861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1100": {
+    "id": "openEuler-SA-2021-1100",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1100",
+    "title": "An update for ceph is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visible.(CVE-2020-25678)",
+    "cves": [
+      {
+        "id": "CVE-2020-25678",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25678",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1393": {
+    "id": "openEuler-SA-2021-1393",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1393",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nApache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.(CVE-2021-41079)",
+    "cves": [
+      {
+        "id": "CVE-2021-41079",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41079",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1637": {
+    "id": "openEuler-SA-2022-1637",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1637",
+    "title": "An update for nginx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.\r\n\r\nSecurity Fix(es):\nALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.(CVE-2021-3618)",
+    "cves": [
+      {
+        "id": "CVE-2021-3618",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3618",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1477": {
+    "id": "openEuler-SA-2024-1477",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1477",
+    "title": "An update for apache-mime4j is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
+    "cves": [
+      {
+        "id": "CVE-2024-21742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1305": {
+    "id": "openEuler-SA-2021-1305",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1305",
+    "title": "An update for file-roller is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "File Roller is an archive manager that you can create and modify archives; view the content of an archive;view and modify a file contained in the archive; extract files from the archive.\r\n\r\nSecurity Fix(es):\r\n\r\nfr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.(CVE-2020-11736)",
+    "cves": [
+      {
+        "id": "CVE-2020-11736",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11736",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2107": {
+    "id": "openEuler-SA-2022-2107",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2107",
+    "title": "An update for sysstat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The sysstat package contains various utilities, common to many commercial Unixes, to monitor system performance and usage activity:iostat: reports CPU statistics and input/output statistics for block devices and partitions.mpstat: reports individual or combined processor related statistics.pidstat: reports statistics for Linux tasks (processes) : I/O, CPU, memory, etc.tapestat: reports statistics for tape drives connected to the system.cifsiostat: reports CIFS statistics.Sysstat also contains tools you can schedule via cron or systemd to collect and historize performance and activity data:sar： collects, reports and saves system activity information (see below a list of metrics collected by sar).sadc： is the system activity data collector, used as a backend for sar.sa1： collects and stores binary data in the system activity daily data file. It is a front end to sadc designed to be run from cron or systemd.sa2： writes asummarized daily activity report. It is a front end to sar designed to be run from cron or systemd.sadf： displays data collected by sar in multiple formats (CSV, XML, JSON, etc.) and can be used for data exchange with other programs. This command can also be used to draw graphs for the various activities collected by sar using SVG (Scalable Vector Graphics) format.\r\n\r\nSecurity Fix(es):\r\n\r\nsysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.(CVE-2022-39377)",
+    "cves": [
+      {
+        "id": "CVE-2022-39377",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39377",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2165": {
+    "id": "openEuler-SA-2022-2165",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2165",
+    "title": "An update for freeradius is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.\r\n\r\nReferences:\r\n\r\nhttps://freeradius.org/security/\r\n\r\nUpstream fix:\r\n\r\nhttps://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a(CVE-2022-41860)\r\n\r\nA malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.\r\n\r\nReferences:\r\n\r\nhttps://freeradius.org/security/\r\n\r\nUpstream fix:\r\n\r\nhttps://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e(CVE-2022-41861)",
+    "cves": [
+      {
+        "id": "CVE-2022-41861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1708": {
+    "id": "openEuler-SA-2022-1708",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1708",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers.\r\n\r\nSecurity Fix(es):\r\n\r\nA logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.(CVE-2022-26691)",
+    "cves": [
+      {
+        "id": "CVE-2022-26691",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26691",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1140": {
+    "id": "openEuler-SA-2021-1140",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1140",
+    "title": "An update for jackson-dataformats-binary is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This module is a multi-module umbrella project for Jackson standard binary dataformat backends. Dataformat backends are used to support format alternatives to JSON, using general-purpose Jackson API. Formats included allow access using all 3 API styles (streaming, databinding, tree model).\r\n\r\nSecurity Fix(es):\r\n\r\nThis affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.(CVE-2020-28491)",
+    "cves": [
+      {
+        "id": "CVE-2020-28491",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1181": {
+    "id": "openEuler-SA-2021-1181",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1181",
+    "title": "An update for jersey is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Jersey is the open source JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.\r\n\r\nSecurity Fix(es):\r\n\r\nEclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.(CVE-2021-28168)",
+    "cves": [
+      {
+        "id": "CVE-2021-28168",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1671": {
+    "id": "openEuler-SA-2023-1671",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1671",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nMozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37201)\r\n\r\nCross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37202)\r\n\r\nA website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37207)\r\n\r\nWhen opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37208)\r\n\r\nMemory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37211)\r\n\r\nOffscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4045)\r\n\r\nIn some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4046)\r\n\r\nA bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4047)\r\n\r\nAn out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4048)\r\n\r\nRace conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4049)\r\n\r\nIn some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4050)\r\n\r\nWhen opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. \n*This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1.(CVE-2023-4054)\r\n\r\nWhen the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4055)\r\n\r\nMemory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4056)",
+    "cves": [
+      {
+        "id": "CVE-2023-4056",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4056",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1598": {
+    "id": "openEuler-SA-2023-1598",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1598",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.(CVE-2022-48565)",
+    "cves": [
+      {
+        "id": "CVE-2022-48565",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1049": {
+    "id": "openEuler-SA-2023-1049",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1049",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a \"--\" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.(CVE-2023-22809)",
+    "cves": [
+      {
+        "id": "CVE-2023-22809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22809",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1040": {
+    "id": "openEuler-SA-2024-1040",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1040",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004)\r\n\r\nA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918)",
+    "cves": [
+      {
+        "id": "CVE-2023-6918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2153": {
+    "id": "openEuler-SA-2022-2153",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2153",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\n\n[Invalid free in ASN.1 codec](CVE-2022-44640)",
+    "cves": [
+      {
+        "id": "CVE-2022-44640",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44640",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1099": {
+    "id": "openEuler-SA-2023-1099",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1099",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.(CVE-2023-23969)",
+    "cves": [
+      {
+        "id": "CVE-2023-23969",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1559": {
+    "id": "openEuler-SA-2024-1559",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1559",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\r\n\r\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\r\n\r\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\r\n\r\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\r\n\r\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.(CVE-2023-6129)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: RAPID).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20960)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20961)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20964)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20965)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20967)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20969)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20970)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20971)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20973)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20974)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20978)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20981)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20984)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20985)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20993)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20994)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20998)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).(CVE-2024-21000)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21009)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21013)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21047)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21055)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21060)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21061)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21062)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21069)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2024-21096)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21102)",
+    "cves": [
+      {
+        "id": "CVE-2024-21102",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21102",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1096": {
+    "id": "openEuler-SA-2023-1096",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1096",
+    "title": "An update for apr is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.(CVE-2022-24963)",
+    "cves": [
+      {
+        "id": "CVE-2022-24963",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1493": {
+    "id": "openEuler-SA-2022-1493",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1493",
+    "title": "An update for qt5-qtsvg is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Qt SVG module provides functionality for displaying SVG images in widget, and to create SVG files using drawing commands.\r\n\r\nSecurity Fix(es):\r\n\r\nQt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).(CVE-2021-45930)",
+    "cves": [
+      {
+        "id": "CVE-2021-45930",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45930",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1830": {
+    "id": "openEuler-SA-2022-1830",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1830",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nA too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.\r\n\r\nReferences:\nhttps://go.dev/issue/53871\nhttps://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU\r\n\r\nUpstream Commits:\nMaster : https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66\nBranch.go1.17 : https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102\nBranch.go1.18 : https://github.com/golang/go/commit/9240558e4f342fc6e98fec22de17c04b45089349(CVE-2022-32189)",
+    "cves": [
+      {
+        "id": "CVE-2022-32189",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1553": {
+    "id": "openEuler-SA-2022-1553",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1553",
+    "title": "An update for rubygem-websocket-extensions is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Generic extension manager for WebSocket connections.\r\n\r\nSecurity Fix(es):\r\n\r\nwebsocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.(CVE-2020-7663)",
+    "cves": [
+      {
+        "id": "CVE-2020-7663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7663",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1453": {
+    "id": "openEuler-SA-2024-1453",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1453",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0002.html(CVE-2023-37328)",
+    "cves": [
+      {
+        "id": "CVE-2023-37328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1045": {
+    "id": "openEuler-SA-2021-1045",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1045",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nThe iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.(CVE-2021-3326)",
+    "cves": [
+      {
+        "id": "CVE-2021-3326",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3326",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1800": {
+    "id": "openEuler-SA-2022-1800",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1800",
+    "title": "An update for uboot-tools is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This package includes the mkimage program, which allows generation of U-Boot images in various formats, and the fw_printenv and fw_setenv programs to read and modify U-Boot's environment.\r\n\r\nSecurity Fix(es):\r\n\r\nsquashfs filesystem implementation of U-Boot versions from v2020.10-rc2 to v2022.07-rc5 contains a heap-based buffer overflow vulnerability due to a defect in the metadata reading process. Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution.(CVE-2022-33967)",
+    "cves": [
+      {
+        "id": "CVE-2022-33967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1109": {
+    "id": "openEuler-SA-2024-1109",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1109",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343)\r\n\r\nIn the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042)\r\n\r\nA denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.(CVE-2024-0639)\r\n\r\nIn rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849)",
+    "cves": [
+      {
+        "id": "CVE-2024-23849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1522": {
+    "id": "openEuler-SA-2024-1522",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1522",
+    "title": "An update for atril is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)",
+    "cves": [
+      {
+        "id": "CVE-2023-51698",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1519": {
+    "id": "openEuler-SA-2024-1519",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1519",
+    "title": "An update for perl-Mojolicious is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Back in the early days of the web there was this wonderful Perl library called CGI, many people only learned Perl because of it. It was simple enough to get started without knowing much about the language and powerful enough to keep you going, learning by doing was much fun. While most of the techniques used are outdated now, the idea behind it is not. Mojolicious is a new attempt at implementing this idea using state of the art technology.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Mojolicious module before 8.65 for Perl is vulnerable to secure_compare timing attacks that allow an attacker to guess the length of a secret string. Only versions after 1.74 are affected.(CVE-2020-36829)\r\n\r\nThe Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.(CVE-2021-47208)",
+    "cves": [
+      {
+        "id": "CVE-2021-47208",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47208",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1188": {
+    "id": "openEuler-SA-2023-1188",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1188",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.(CVE-2022-27672)\r\n\r\nA flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.(CVE-2023-1079)\r\n\r\nIn the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-23004)\r\n\r\nA use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\") not applied yet, then kernel could be affected.(CVE-2023-1249)\r\n\r\n\nKernel: denial of service in tipc_conn_close(CVE-2023-1382)\r\n\r\ndo_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).(CVE-2023-28466)\r\n\r\nIn the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.(CVE-2022-48424)\r\n\r\nIn the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.(CVE-2022-48423)\r\n\r\nIn the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.(CVE-2022-48425)\r\n\r\nUse After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.(CVE-2023-1281)\n\nIn the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c misinterprets the dwc3_qcom_create_urs_usb_platdev return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-22999)",
+    "cves": [
+      {
+        "id": "CVE-2023-1382",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-22999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2024": {
+    "id": "openEuler-SA-2022-2024",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2024",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\n\t\tYou can refer to https://www.qemu.org for more infortmation.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.(CVE-2022-3165)",
+    "cves": [
+      {
+        "id": "CVE-2022-3165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3165",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1808": {
+    "id": "openEuler-SA-2023-1808",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1808",
+    "title": "An update for qt is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.(CVE-2023-34410)",
+    "cves": [
+      {
+        "id": "CVE-2023-34410",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1619": {
+    "id": "openEuler-SA-2023-1619",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1619",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PHP. This issue occurs due to an uncaught integer overflow in PDO::quote() of PDO_SQLite returning an improperly quoted string. With the implementation of sqlite3_snprintf(), it is possible to force the function to return a single apostrophe if the function is called on user-supplied input without any length restrictions in place.(CVE-2022-31631)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.(CVE-2023-0567)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. (CVE-2023-0568)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. (CVE-2023-0662)\r\n\r\nIn PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \r\n\r\n(CVE-2023-3247)\r\n\r\nIn PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \r\n\r\n(CVE-2023-3823)\r\n\r\nIn PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \r\n\r\n(CVE-2023-3824)",
+    "cves": [
+      {
+        "id": "CVE-2023-3824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1991": {
+    "id": "openEuler-SA-2023-1991",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1991",
+    "title": "An update for tar is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service.(CVE-2023-39804)",
+    "cves": [
+      {
+        "id": "CVE-2023-39804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1890": {
+    "id": "openEuler-SA-2023-1890",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1890",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.(CVE-2023-1193)",
+    "cves": [
+      {
+        "id": "CVE-2023-1193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1377": {
+    "id": "openEuler-SA-2024-1377",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1377",
+    "title": "An update for mod_security is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279)",
+    "cves": [
+      {
+        "id": "CVE-2022-48279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1381": {
+    "id": "openEuler-SA-2024-1381",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1381",
+    "title": "An update for cri-tools is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "CLI and validation tools for Container Runtime Interface\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)\r\n\r\nThe protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.(CVE-2024-24786)",
+    "cves": [
+      {
+        "id": "CVE-2024-24786",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1504": {
+    "id": "openEuler-SA-2024-1504",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1504",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1831": {
+    "id": "openEuler-SA-2023-1831",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1831",
+    "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nVMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-34058)\r\n\r\nopen-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the \n/dev/uinput file descriptor allowing them to simulate user inputs.(CVE-2023-34059)",
+    "cves": [
+      {
+        "id": "CVE-2023-34059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1669": {
+    "id": "openEuler-SA-2024-1669",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1669",
+    "title": "An update for php is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\r\n\r\n(CVE-2024-3096)",
+    "cves": [
+      {
+        "id": "CVE-2024-3096",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1187": {
+    "id": "openEuler-SA-2021-1187",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1187",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nThe ClamAV Engine (version 0.103.1 and below) component embedded in Storsmshield Network Security (SNS) is subject to DoS in case of parsing of malformed png files. This affect Netasq versions 9.1.0 to 9.1.11 and SNS versions 1.0.0 to 4.2.0. This issue is fixed in SNS 3.7.19, 3.11.7 and 4.2.1.(CVE-2021-27506)",
+    "cves": [
+      {
+        "id": "CVE-2021-27506",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27506",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1478": {
+    "id": "openEuler-SA-2021-1478",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1478",
+    "title": "An update for openblas is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "An optimized BLAS library based on GotoBLAS2 1.13 BSD version.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.(CVE-2021-4048)",
+    "cves": [
+      {
+        "id": "CVE-2021-4048",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4048",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1968": {
+    "id": "openEuler-SA-2022-1968",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1968",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.(CVE-2022-39188)",
+    "cves": [
+      {
+        "id": "CVE-2022-39188",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1873": {
+    "id": "openEuler-SA-2024-1873",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1873",
+    "title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\r\n\r\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\r\n\r\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
+    "cves": [
+      {
+        "id": "CVE-2024-32230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1761": {
+    "id": "openEuler-SA-2022-1761",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1761",
+    "title": "An update for dnsmasq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2022-0934)",
+    "cves": [
+      {
+        "id": "CVE-2022-0934",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0934",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1821": {
+    "id": "openEuler-SA-2024-1821",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1821",
+    "title": "An update for rubygem-rack is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers,  web frameworks, and software in between (the so-called middleware) into  a single method call.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\r\n\r\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
+    "cves": [
+      {
+        "id": "CVE-2024-26141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1005": {
+    "id": "openEuler-SA-2024-1005",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1005",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634)",
+    "cves": [
+      {
+        "id": "CVE-2022-23634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1368": {
+    "id": "openEuler-SA-2023-1368",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1368",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.(CVE-2023-31084)\n\nA use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.(CVE-2023-2985)",
+    "cves": [
+      {
+        "id": "CVE-2023-2985",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1115": {
+    "id": "openEuler-SA-2023-1115",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1115",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols.It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\n\r\n\r\nSecurity Fix(es):\r\n\r\nCrash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows(CVE-2022-3724)\r\n\r\nMemory exhaustion in the Kafka protocol dissector in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file(CVE-2022-4344)\r\n\r\nInfinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file(CVE-2022-4345)\r\n\r\nDissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0413)\r\n\r\nMemory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0417)\r\n\r\niSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0415)\r\n\r\nExcessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0411)\r\n\r\nTIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0412)\r\n\r\nGNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0416)",
+    "cves": [
+      {
+        "id": "CVE-2023-0416",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0416",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1681": {
+    "id": "openEuler-SA-2023-1681",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1681",
+    "title": "An update for libwebp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "This is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863)",
+    "cves": [
+      {
+        "id": "CVE-2023-4863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1509": {
+    "id": "openEuler-SA-2022-1509",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1509",
+    "title": "An update for transfig is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The transfig utility creates a makefile which translates FIG (created by xfig) or PIC figures into a specified LaTeX graphics language (for example, PostScript(TM)).  Transfig is used to create TeX documents which are portable (i.e., they can be printed in a wide variety of environments).\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).(CVE-2021-37529)\r\n\r\nA denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.(CVE-2021-37530)",
+    "cves": [
+      {
+        "id": "CVE-2021-37530",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37530",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1171": {
+    "id": "openEuler-SA-2024-1171",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1171",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1541": {
+    "id": "openEuler-SA-2023-1541",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1541",
+    "title": "An update for haproxy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\n\nSecurity Fix(es):\n\nHAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.(CVE-2023-40225)",
+    "cves": [
+      {
+        "id": "CVE-2023-40225",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40225",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2059": {
+    "id": "openEuler-SA-2022-2059",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2059",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications. This package contains base tools, like string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).(CVE-2021-38593)",
+    "cves": [
+      {
+        "id": "CVE-2021-38593",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2023": {
+    "id": "openEuler-SA-2022-2023",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2023",
+    "title": "An update for nginx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "NGINX is a free, open-source, high-performance HTTP server and reverse proxy,as well as an IMAP/POP3 proxy server.\r\n\r\nSecurity Fix(es):\r\n\r\nNGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.(CVE-2022-41742)\r\n\r\nNGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.(CVE-2022-41741)",
+    "cves": [
+      {
+        "id": "CVE-2022-41741",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1048": {
+    "id": "openEuler-SA-2021-1048",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1048",
+    "title": "An update for gstreamer-plugins-good is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GStreamer is a pipeline-based multimedia framework that links together a wide variety of media processing systems to complete complex workflows, based on graphs of filters which operate on media data. GStreamer supports a wide variety of media-handling components, such as real-time sound processing and videos playback, and about anything else media-related. The formats and processes can be changed in plugins since its plugin-based architecture. GStreamer plugins \"Good\" represents a collection of well-supported plug-ins of good quality and under the LGPL license.\r\n\r\nSecurity Fix(es):\r\n\r\nThe gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file.(CVE-2016-10198)",
+    "cves": [
+      {
+        "id": "CVE-2016-10198",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10198",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1371": {
+    "id": "openEuler-SA-2024-1371",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1371",
+    "title": "An update for unixODBC is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The unixODBC Project goals are to develop and promote unixODBC to be the definitive standard for ODBC on non MS Windows platforms. This is to include GUI support for both KDE and GNOME.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.(CVE-2024-1013)",
+    "cves": [
+      {
+        "id": "CVE-2024-1013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1750": {
+    "id": "openEuler-SA-2022-1750",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1750",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIncomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-21123)\n\nIncomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-21125)\n\nIncomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-21166)",
+    "cves": [
+      {
+        "id": "CVE-2022-21166",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21166",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1793": {
+    "id": "openEuler-SA-2022-1793",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1793",
+    "title": "An update for netcdf is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "NetCDF (network Common Data Form) is an interface for array-oriented data access and a freely-distributed collection of software libraries for C, Fortran, C++, and perl that provides an implementation of the interface.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (out-of-bounds read after a certain strcspn failure).(CVE-2021-31348)",
+    "cves": [
+      {
+        "id": "CVE-2021-31348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31348",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1212": {
+    "id": "openEuler-SA-2023-1212",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1212",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\n\nKernel: A denial of service issue in  az6027 driver in\ndrivers/media/usb/dev-usb/az6027.c(CVE-2023-28328)\r\n\r\nA slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.(CVE-2023-1380)\r\n\r\nA flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.(CVE-2023-1513)",
+    "cves": [
+      {
+        "id": "CVE-2023-1513",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1198": {
+    "id": "openEuler-SA-2023-1198",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1198",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e(CVE-2023-0266)",
+    "cves": [
+      {
+        "id": "CVE-2023-0266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1171": {
+    "id": "openEuler-SA-2023-1171",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1171",
+    "title": "An update for libmicrohttpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Development files for libmicrohttpd\r\n\r\nSecurity Fix(es):\r\n\r\nGNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.(CVE-2023-27371)",
+    "cves": [
+      {
+        "id": "CVE-2023-27371",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27371",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1862": {
+    "id": "openEuler-SA-2024-1862",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1862",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak\r\n\r\nvcpu_put is not called if the user copy fails. This can result in preempt\nnotifier corruption and crashes, among other issues.(CVE-2021-47296)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qcom/emac: fix UAF in emac_remove\r\n\r\nadpt is netdev private data and it cannot be\nused after free_netdev() call. Using adpt after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.(CVE-2021-47311)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\r\n\r\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\r\n\r\n       CPU 1                                  CPU 2\r\n\r\nrdma_resolve_addr():\n  RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)  #1\r\n\r\n\t\t\t process_one_req(): for #1\n                          addr_handler():\n                            RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND\n                            mutex_unlock(&id_priv->handler_mutex);\n                            [.. handler still running ..]\r\n\r\nrdma_resolve_addr():\n  RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)\n    !! two requests are now on the req_list\r\n\r\nrdma_destroy_id():\n destroy_id_handler_unlock():\n  _destroy_id():\n   cma_cancel_operation():\n    rdma_addr_cancel()\r\n\r\n                          // process_one_req() self removes it\n\t\t          spin_lock_bh(&lock);\n                           cancel_delayed_work(&req->work);\n\t                   if (!list_empty(&req->list)) == true\r\n\r\n      ! rdma_addr_cancel() returns after process_on_req #1 is done\r\n\r\n   kfree(id_priv)\r\n\r\n\t\t\t process_one_req(): for #2\n                          addr_handler():\n\t                    mutex_lock(&id_priv->handler_mutex);\n                            !! Use after free on id_priv\r\n\r\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\r\n\r\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\r\n\r\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn't cost anything in the normal flow\nthat never uses this strange error path.(CVE-2021-47391)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsch_cake: do not call cake_destroy() from cake_init()\r\n\r\nqdiscs are not supposed to call their own destroy() method\nfrom init(), because core stack already does that.\r\n\r\nsyzbot was able to trigger use after free:\r\n\r\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nModules linked in:\nCPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]\nRIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nCode: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8\nRSP: 0018:ffffc9000627f290 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44\nRBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000\nFS:  0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810\n tcf_block_put_ext net/sched/cls_api.c:1381 [inline]\n tcf_block_put_ext net/sched/cls_api.c:1376 [inline]\n tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394\n cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695\n qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293\n tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660\n rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f1bb06badb9\nCode: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.\nRSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688\nR13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2\n </TASK>(CVE-2021-47598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/nouveau: fix off by one in BIOS boundary checking\r\n\r\nBounds checking when parsing init scripts embedded in the BIOS reject\naccess to the last byte. This causes driver initialization to fail on\nApple eMac's with GeForce 2 MX GPUs, leaving the system with no working\nconsole.\r\n\r\nThis is probably only seen on OpenFirmware machines like PowerPC Macs\nbecause the BIOS image provided by OF is only the used parts of the ROM,\nnot a power-of-two blocks read from PCI directly so PCs always have\nempty bytes at the end that are never accessed.(CVE-2022-48732)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix information leakage in /proc/net/ptype\r\n\r\nIn one net namespace, after creating a packet socket without binding\nit to a device, users in other net namespaces can observe the new\n`packet_type` added by this packet socket by reading `/proc/net/ptype`\nfile. This is minor information leakage as packet socket is\nnamespace aware.\r\n\r\nAdd a net pointer in `packet_type` to keep the net namespace of\nof corresponding packet socket. In `ptype_seq_show`, this net pointer\nmust be checked when it is not NULL.(CVE-2022-48757)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: core: Fix hang in usb_kill_urb by adding memory barriers\r\n\r\nThe syzbot fuzzer has identified a bug in which processes hang waiting\nfor usb_kill_urb() to return.  It turns out the issue is not unlinking\nthe URB; that works just fine.  Rather, the problem arises when the\nwakeup notification that the URB has completed is not received.\r\n\r\nThe reason is memory-access ordering on SMP systems.  In outline form,\nusb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on\ndifferent CPUs perform the following actions:\r\n\r\nCPU 0\t\t\t\t\tCPU 1\n----------------------------\t\t---------------------------------\nusb_kill_urb():\t\t\t\t__usb_hcd_giveback_urb():\n  ...\t\t\t\t\t  ...\n  atomic_inc(&urb->reject);\t\t  atomic_dec(&urb->use_count);\n  ...\t\t\t\t\t  ...\n  wait_event(usb_kill_urb_queue,\n\tatomic_read(&urb->use_count) == 0);\n\t\t\t\t\t  if (atomic_read(&urb->reject))\n\t\t\t\t\t\twake_up(&usb_kill_urb_queue);\r\n\r\nConfining your attention to urb->reject and urb->use_count, you can\nsee that the overall pattern of accesses on CPU 0 is:\r\n\r\n\twrite urb->reject, then read urb->use_count;\r\n\r\nwhereas the overall pattern of accesses on CPU 1 is:\r\n\r\n\twrite urb->use_count, then read urb->reject.\r\n\r\nThis pattern is referred to in memory-model circles as SB (for \"Store\nBuffering\"), and it is well known that without suitable enforcement of\nthe desired order of accesses -- in the form of memory barriers -- it\nis entirely possible for one or both CPUs to execute their reads ahead\nof their writes.  The end result will be that sometimes CPU 0 sees the\nold un-decremented value of urb->use_count while CPU 1 sees the old\nun-incremented value of urb->reject.  Consequently CPU 0 ends up on\nthe wait queue and never gets woken up, leading to the observed hang\nin usb_kill_urb().\r\n\r\nThe same pattern of accesses occurs in usb_poison_urb() and the\nfailure pathway of usb_hcd_submit_urb().\r\n\r\nThe problem is fixed by adding suitable memory barriers.  To provide\nproper memory-access ordering in the SB pattern, a full barrier is\nrequired on both CPUs.  The atomic_inc() and atomic_dec() accesses\nthemselves don't provide any memory ordering, but since they are\npresent, we can use the optimized smp_mb__after_atomic() memory\nbarrier in the various routines to obtain the desired effect.\r\n\r\nThis patch adds the necessary memory barriers.(CVE-2022-48760)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\r\n\r\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\r\n\r\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\r\n\r\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\r\n\r\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\r\n\r\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\r\n\r\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\r\n\r\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\r\n\r\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\r\n\r\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: fix potential memory leak in vfio_intx_enable()\r\n\r\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkdb: Fix buffer overflow during tab-complete\r\n\r\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\r\n\r\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\r\n\r\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\r\n\r\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\r\n\r\nFix it by adding a check of string length before using it.(CVE-2024-39487)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\r\n\r\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\r\n\r\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tsigned int      file_disp;\t// 4 bytes\n\t\tunsigned short  line;\t\t// 2 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t}\r\n\r\n... with 12 bytes total, requiring 4-byte alignment.\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\r\n\r\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\r\n\r\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\r\n\r\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\r\n\r\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\r\n\r\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\r\n\r\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\r\n\r\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\r\n\r\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\r\n\r\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\r\n\r\nConsequently module_find_bug() will miss the last bug_entry when it does:\r\n\r\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\r\n\r\n... which can lead to a kenrel panic due to an unhandled bug.\r\n\r\nThis can be demonstrated with the following module:\r\n\r\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\r\n\r\n\tstatic void __exit bugexit(void)\n\t{\n\t}\r\n\r\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\r\n\r\n... which will trigger a kernel panic when loaded:\r\n\r\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G           O       6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix memleak in seg6_hmac_init_algo\r\n\r\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\r\n\r\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)",
+    "cves": [
+      {
+        "id": "CVE-2024-39489",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1533": {
+    "id": "openEuler-SA-2024-1533",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1533",
+    "title": "An update for python-sqlparse is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "``sqlparse`` is a non-validating SQL parser module. It provides support for parsing, splitting and formatting SQL statements.\r\n\r\nSecurity Fix(es):\r\n\r\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\r\n\r\n(CVE-2024-4340)",
+    "cves": [
+      {
+        "id": "CVE-2024-4340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1436": {
+    "id": "openEuler-SA-2023-1436",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1436",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.(CVE-2023-1295)\n\nA heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n(CVE-2023-3090)\n\nA use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.(CVE-2023-3117)\n\nLinux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace(CVE-2023-31248)\n\nAn issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.(CVE-2023-3220)\n\nA flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.(CVE-2023-3338)\n\nA null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.(CVE-2023-3358)",
+    "cves": [
+      {
+        "id": "CVE-2023-3358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1034": {
+    "id": "openEuler-SA-2023-1034",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1034",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().(CVE-2022-3111)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().(CVE-2022-3108)\n\nAn out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.(CVE-2022-2873)\n\nA use-after-free flaw was found in the Linux kernel?s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-3424)",
+    "cves": [
+      {
+        "id": "CVE-2022-3424",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3424",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1220": {
+    "id": "openEuler-SA-2023-1220",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1220",
+    "title": "An update for libldb is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "An extensible library that implements an LDAP like API to access remote LDAP servers, or use local tdb databases.\r\n\r\nSecurity Fix(es):\r\n\r\nThe fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.(CVE-2023-0614)",
+    "cves": [
+      {
+        "id": "CVE-2023-0614",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0614",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1097": {
+    "id": "openEuler-SA-2023-1097",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1097",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.(CVE-2023-23969)",
+    "cves": [
+      {
+        "id": "CVE-2023-23969",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1277": {
+    "id": "openEuler-SA-2021-1277",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1277",
+    "title": "An update for ant is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Ant is a Java based build tool. In theory it is kind of like \"make\" without makes wrinkles and with the full portability of pure java code.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.(CVE-2021-36373)\r\n\r\nWhen reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.(CVE-2021-36374)",
+    "cves": [
+      {
+        "id": "CVE-2021-36374",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36374",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1431": {
+    "id": "openEuler-SA-2023-1431",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1431",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \n\nSecurity Fix(es):\n\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)",
+    "cves": [
+      {
+        "id": "CVE-2022-4304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1116": {
+    "id": "openEuler-SA-2023-1116",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1116",
+    "title": "An update for gssntlmssp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Implementing the GSSAPI mechanism of NTLMSSP.\r\n\r\nSecurity Fix(es):\r\n\r\nGSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, memory corruption can be triggered when decoding UTF16 strings. The variable `outlen` was not initialized and could cause writing a zero to an arbitrary place in memory if `ntlm_str_convert()` were to fail, which would leave `outlen` uninitialized. This can lead to a denial of service if the write hits unmapped memory or randomly corrupts a byte in the application memory space. This vulnerability can trigger an out-of-bounds write, leading to memory corruption. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This issue is fixed in version 1.2.0.(CVE-2023-25564)\r\n\r\nGSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, an incorrect free when decoding target information can trigger a denial of service. The error condition incorrectly assumes the `cb` and `sh` buffers contain a copy of the data that needs to be freed. However, that is not the case. This vulnerability can be triggered via the main `gss_accept_sec_context` entry point. This will likely trigger an assertion failure in `free`, causing a denial-of-service. This issue is fixed in version 1.2.0.(CVE-2023-25565)\r\n\r\nGSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication, has an out-of-bounds read when decoding target information prior to version 1.2.0. The length of the `av_pair` is not checked properly for two of the elements which can trigger an out-of-bound read. The out-of-bounds read can be triggered via the main `gss_accept_sec_context` entry point and could cause a denial-of-service if the memory is unmapped. The issue is fixed in version 1.2.0.(CVE-2023-25567)",
+    "cves": [
+      {
+        "id": "CVE-2023-25567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1396": {
+    "id": "openEuler-SA-2021-1396",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1396",
+    "title": "An update for rubygem-nokogiri is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Nokogiri parses and searches XML/HTML very quickly, and also has correctly implemented CSS3 selector support as well as XPath support. Nokogiri also features an Hpricot compatibility layer to help ease the change to using correct CSS and XPath. %if 0\r\n\r\nSecurity Fix(es):\r\n\r\nNokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.(CVE-2021-41098)",
+    "cves": [
+      {
+        "id": "CVE-2021-41098",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41098",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1989": {
+    "id": "openEuler-SA-2022-1989",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1989",
+    "title": "An update for lighttpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Secure, fast, compliant and very flexible web-server which has been optimized for high-performance environments. It has a very low memory footprint compared to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems.\r\n\r\nSecurity Fix(es):\r\n\r\nIn lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.(CVE-2022-37797)\n\nA resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.(CVE-2022-41556)",
+    "cves": [
+      {
+        "id": "CVE-2022-41556",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41556",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1468": {
+    "id": "openEuler-SA-2024-1468",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1468",
+    "title": "An update for docker is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\r\n\r\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\r\n\r\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\r\n\r\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\r\n\r\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\r\n\r\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\r\n\r\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\r\n\r\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\r\n\r\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\r\n\r\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)",
+    "cves": [
+      {
+        "id": "CVE-2024-29018",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1596": {
+    "id": "openEuler-SA-2022-1596",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1596",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.(CVE-2022-23943)\r\n\r\nIf LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.(CVE-2022-22721)\r\n\r\nApache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling(CVE-2022-22720)\r\n\r\nA carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.(CVE-2022-22719)",
+    "cves": [
+      {
+        "id": "CVE-2022-22719",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22719",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1528": {
+    "id": "openEuler-SA-2024-1528",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1528",
+    "title": "An update for podman is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.(CVE-2022-32149)",
+    "cves": [
+      {
+        "id": "CVE-2022-32149",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1092": {
+    "id": "openEuler-SA-2023-1092",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1092",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nThe public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215)\r\n\r\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)\r\n\r\nThe function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450)\n\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286)",
+    "cves": [
+      {
+        "id": "CVE-2023-0286",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1251": {
+    "id": "openEuler-SA-2023-1251",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1251",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).(CVE-2022-36280)\r\n\r\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.(CVE-2022-27672)\r\n\r\nAn issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.(CVE-2023-30456)\r\n\r\nA use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.(CVE-2023-1989)\r\n\r\nA use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\r\n\r\n(CVE-2023-1829)",
+    "cves": [
+      {
+        "id": "CVE-2023-1829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1604": {
+    "id": "openEuler-SA-2023-1604",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1604",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.(CVE-2023-28879)\r\n\r\nArtifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).(CVE-2023-36664)\r\n\r\nA buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559)",
+    "cves": [
+      {
+        "id": "CVE-2023-38559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38559",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1710": {
+    "id": "openEuler-SA-2024-1710",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1710",
+    "title": "An update for rubygem-actionpack is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.(CVE-2024-28103)",
+    "cves": [
+      {
+        "id": "CVE-2024-28103",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28103",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1069": {
+    "id": "openEuler-SA-2024-1069",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1069",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.(CVE-2023-51782)\r\n\r\nA memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.(CVE-2023-7192)",
+    "cves": [
+      {
+        "id": "CVE-2023-7192",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1237": {
+    "id": "openEuler-SA-2023-1237",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1237",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nMultipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.(CVE-2023-24536)\r\n\r\nHTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534)\r\n\r\nTemplates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.(CVE-2023-24538)\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)",
+    "cves": [
+      {
+        "id": "CVE-2023-24537",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1651": {
+    "id": "openEuler-SA-2022-1651",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1651",
+    "title": "An update for zlib is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Zlib is a free, general-purpose, not covered by any patents, lossless data-compression library for use on virtually any computer hardware and operating system. The zlib data format is itself portable across platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nzlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.(CVE-2018-25032)",
+    "cves": [
+      {
+        "id": "CVE-2018-25032",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1452": {
+    "id": "openEuler-SA-2024-1452",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1452",
+    "title": "An update for mod_http2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mod_h[ttp]2 is an official Apache httpd module, first released in 2.4.17.  See Apache downloads to get a released version. mod_proxy_h[ttp]2 has been released in 2.4.23.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.(CVE-2024-27316)",
+    "cves": [
+      {
+        "id": "CVE-2024-27316",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27316",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1021": {
+    "id": "openEuler-SA-2021-1021",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1021",
+    "title": "An update for opensc is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows' Smart Card Minidriver and macOS Tokend.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nThe Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file.(CVE-2020-26570)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-26570",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26570",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1151": {
+    "id": "openEuler-SA-2023-1151",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1151",
+    "title": "An update for libreswan is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN. This package contains the daemons and userland tools for setting up Libreswan. Libreswan also supports IKEv2 (RFC7296) and Secure Labeling Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04\r\n\r\nSecurity Fix(es):\r\n\r\nLibreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length.(CVE-2023-23009)",
+    "cves": [
+      {
+        "id": "CVE-2023-23009",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23009",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1614": {
+    "id": "openEuler-SA-2023-1614",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1614",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2023-3865)\r\n\r\n(CVE-2023-3866)\r\n\r\nA use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4132)\r\n\r\nA flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.(CVE-2023-4273)",
+    "cves": [
+      {
+        "id": "CVE-2023-4273",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2151": {
+    "id": "openEuler-SA-2022-2151",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2151",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21626)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21619)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21618)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21628)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-39399)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21271)",
+    "cves": [
+      {
+        "id": "CVE-2022-21271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21271",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1832": {
+    "id": "openEuler-SA-2022-1832",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1832",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\n\nSecurity Fix(es):\n\nThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.(CVE-2022-34169)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2022-21541)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21540)",
+    "cves": [
+      {
+        "id": "CVE-2022-21540",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21540",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1749": {
+    "id": "openEuler-SA-2022-1749",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1749",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.(CVE-2022-1720)\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.(CVE-2022-2208)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-2207)\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 8.2.(CVE-2022-2183)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.(CVE-2022-2284)\r\n\r\nInteger Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.(CVE-2022-2285)\r\n\r\nStack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.(CVE-2022-2304)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0046.(CVE-2022-2345)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.(CVE-2022-2344)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 8.2.(CVE-2022-2042)\r\n\r\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.(CVE-2022-2000)",
+    "cves": [
+      {
+        "id": "CVE-2022-2000",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2000",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2102": {
+    "id": "openEuler-SA-2022-2102",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2102",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.(CVE-2022-45061)",
+    "cves": [
+      {
+        "id": "CVE-2022-45061",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45061",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1633": {
+    "id": "openEuler-SA-2024-1633",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1633",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21087)",
+    "cves": [
+      {
+        "id": "CVE-2024-21087",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21087",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1425": {
+    "id": "openEuler-SA-2021-1425",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1425",
+    "title": "An update for squashfs-tools is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Squashfs is a highly compressed read-only filesystem for Linux. It uses either gzip/xz/lzo/lz4/zstd compression to compress both files, inodes and directories.\r\n\r\nSecurity Fix(es):\r\n\r\nsquashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.(CVE-2021-41072)\r\n\r\nsquashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.(CVE-2021-40153)",
+    "cves": [
+      {
+        "id": "CVE-2021-40153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40153",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1235": {
+    "id": "openEuler-SA-2023-1235",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1235",
+    "title": "An update for mod_auth_openidc is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.(CVE-2022-23527)\r\n\r\nmod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.(CVE-2023-28625)",
+    "cves": [
+      {
+        "id": "CVE-2023-28625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28625",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1487": {
+    "id": "openEuler-SA-2023-1487",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1487",
+    "title": "An update for perl-HTTP-Tiny is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This is a very simple HTTP/1.1 client, designed for doing simple requests without the overhead of a large framework like LWP::UserAgent.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486)",
+    "cves": [
+      {
+        "id": "CVE-2023-31486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1293": {
+    "id": "openEuler-SA-2021-1293",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1293",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nfs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.(CVE-2021-33909)",
+    "cves": [
+      {
+        "id": "CVE-2021-33909",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33909",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1578": {
+    "id": "openEuler-SA-2022-1578",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1578",
+    "title": "An update for haproxy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the way HAProxy processed HTTP responses containing the \"Set-Cookie2\" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.(CVE-2022-0711)",
+    "cves": [
+      {
+        "id": "CVE-2022-0711",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0711",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1241": {
+    "id": "openEuler-SA-2024-1241",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1241",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nA race condition was found in the Linux kernel's sound/hda  device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n(CVE-2024-23196)",
+    "cves": [
+      {
+        "id": "CVE-2024-23196",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1285": {
+    "id": "openEuler-SA-2024-1285",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1285",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix use-after-free in shinker's callback\r\n\r\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\r\n\r\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\r\n\r\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n  Read of size 8 at addr ffff356ed50e50f0 by task bash/478\r\n\r\n  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   zap_page_range_single+0x470/0x4b8\n   binder_alloc_free_page+0x608/0xadc\n   __list_lru_walk_one+0x130/0x3b0\n   list_lru_walk_node+0xc4/0x22c\n   binder_shrink_scan+0x108/0x1dc\n   shrinker_debugfs_scan_write+0x2b4/0x500\n   full_proxy_write+0xd4/0x140\n   vfs_write+0x1ac/0x758\n   ksys_write+0xf0/0x1dc\n   __arm64_sys_write+0x6c/0x9c\r\n\r\n  Allocated by task 492:\n   kmem_cache_alloc+0x130/0x368\n   vm_area_alloc+0x2c/0x190\n   mmap_region+0x258/0x18bc\n   do_mmap+0x694/0xa60\n   vm_mmap_pgoff+0x170/0x29c\n   ksys_mmap_pgoff+0x290/0x3a0\n   __arm64_sys_mmap+0xcc/0x144\r\n\r\n  Freed by task 491:\n   kmem_cache_free+0x17c/0x3c8\n   vm_area_free_rcu_cb+0x74/0x98\n   rcu_core+0xa38/0x26d4\n   rcu_core_si+0x10/0x1c\n   __do_softirq+0x2fc/0xd24\r\n\r\n  Last potentially related work creation:\n   __call_rcu_common.constprop.0+0x6c/0xba0\n   call_rcu+0x10/0x1c\n   vm_area_free+0x18/0x24\n   remove_vma+0xe4/0x118\n   do_vmi_align_munmap.isra.0+0x718/0xb5c\n   do_vmi_munmap+0xdc/0x1fc\n   __vm_munmap+0x10c/0x278\n   __arm64_sys_munmap+0x58/0x7c\r\n\r\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.(CVE-2023-52438)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio: Fix use-after-free in uio_open\r\n\r\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\r\n\r\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\r\n\r\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.(CVE-2023-52439)\r\n\r\nNULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\r\n\r\nThis issue affects Linux kernel: v2.6.12-rc2.\r\n\r\n(CVE-2024-22099)\r\n\r\nIn btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.(CVE-2024-23850)\r\n\r\ncopy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.(CVE-2024-23851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between async notify and socket close\r\n\r\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\r\n\r\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\r\n\r\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.(CVE-2024-26583)",
+    "cves": [
+      {
+        "id": "CVE-2024-26583",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1456": {
+    "id": "openEuler-SA-2024-1456",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1456",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0002.html(CVE-2023-37328)",
+    "cves": [
+      {
+        "id": "CVE-2023-37328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1414": {
+    "id": "openEuler-SA-2023-1414",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1414",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Container cluster management.\n\nSecurity Fix(es):\n\nUsers authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.(CVE-2022-3162)\n\nUsers may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.(CVE-2022-3294)\n\nA security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.(CVE-2023-2431)\n\nUsers may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n(CVE-2023-2727)\n\nUsers may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n(CVE-2023-2728)",
+    "cves": [
+      {
+        "id": "CVE-2023-2728",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2728",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2073": {
+    "id": "openEuler-SA-2022-2073",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2073",
+    "title": "An update for ganglia is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Ganglia is a scalable, real-time monitoring and execution environment with all execution requests and statistics expressed in an open well-defined XML format.\r\n\r\nSecurity Fix(es):\r\n\r\nganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter.(CVE-2019-20378)\r\n\r\nganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter.(CVE-2019-20379)",
+    "cves": [
+      {
+        "id": "CVE-2019-20379",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20379",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1765": {
+    "id": "openEuler-SA-2024-1765",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1765",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: Fix deadlock when adding SPI controllers on SPI buses\r\n\r\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled.  This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock.  Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\r\n\r\nThis can be easily triggered in the case of spi-mux.(CVE-2021-47469)\r\n\r\n(CVE-2023-39180)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhid: cp2112: Fix duplicate workqueue initialization\r\n\r\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\r\n\r\nInitialize the workqueue within _probe instead.(CVE-2023-52853)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix UAF issue in ksmbd_tcp_new_connection()\r\n\r\nThe race is between the handling of a new TCP connection and\nits disconnection. It leads to UAF on `struct tcp_transport` in\nksmbd_tcp_new_connection() function.(CVE-2024-26592)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\r\n\r\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\r\n\r\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.(CVE-2024-26925)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wilc1000: fix RCU usage in connect path\r\n\r\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\r\n\r\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\r\n\r\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data(CVE-2024-27053)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: tc358743: register v4l2 async device only after successful setup\r\n\r\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.(CVE-2024-35830)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/rds: fix possible cp null dereference\r\n\r\ncp might be null, calling cp->cp_conn would produce null dereference\r\n\r\n[Simon Horman adds:]\r\n\r\nAnalysis:\r\n\r\n* cp is a parameter of __rds_rdma_map and is not reassigned.\r\n\r\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\r\n\r\n  - rds_get_mr()\n  - rds_get_mr_for_dest\r\n\r\n* Prior to the code above, the following assumes that cp may be NULL\n  (which is indicative, but could itself be unnecessary)\r\n\r\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\r\n\r\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n  where trans_private is assigned as per the previous point in this analysis.\r\n\r\n  The only implementation of get_mr that I could locate is rds_ib_get_mr()\n  which can return an ERR_PTR if the conn (4th) argument is NULL.\r\n\r\n* ret is set to PTR_ERR(trans_private).\n  rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n  Thus ret may be -ENODEV in which case the code in question will execute.\r\n\r\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n  this patch does seem to address a possible bug(CVE-2024-35902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkprobes: Fix possible use-after-free issue on kprobe registration\r\n\r\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\r\n\r\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\r\n\r\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.(CVE-2024-35955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\r\n\r\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\r\n\r\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\r\n\r\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\r\n\r\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\r\n\r\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\r\n\r\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.(CVE-2024-36950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix division by zero in setup_dsc_config\r\n\r\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\r\n\r\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\r\n\r\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\r\n\r\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.(CVE-2024-36969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\r\n\r\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.(CVE-2024-36978)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Fix UAF for cq async event\r\n\r\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\r\n\r\nUse the xa_lock() to protect the CQ refcount.(CVE-2024-38545)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nftrace: Fix possible use-after-free issue in ftrace_location()\r\n\r\nKASAN reports a bug:\r\n\r\n  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n  Read of size 8 at addr ffff888141d40010 by task insmod/424\n  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+\n  [...]\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x68/0xa0\n   print_report+0xcf/0x610\n   kasan_report+0xb5/0xe0\n   ftrace_location+0x90/0x120\n   register_kprobe+0x14b/0xa40\n   kprobe_init+0x2d/0xff0 [kprobe_example]\n   do_one_initcall+0x8f/0x2d0\n   do_init_module+0x13a/0x3c0\n   load_module+0x3082/0x33d0\n   init_module_from_file+0xd2/0x130\n   __x64_sys_finit_module+0x306/0x440\n   do_syscall_64+0x68/0x140\n   entry_SYSCALL_64_after_hwframe+0x71/0x79\r\n\r\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\r\n\r\n           CPU1                       |      CPU2\n  register_kprobes() {                | delete_module() {\n    check_kprobe_address_safe() {     |\n      arch_check_ftrace_location() {  |\n        ftrace_location() {           |\n          lookup_rec() // USE!        |   ftrace_release_mod() // Free!\r\n\r\nTo fix this issue:\n  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n  2. Use ftrace_location_range() instead of lookup_rec() in\n     ftrace_location();\n  3. Call synchronize_rcu() before freeing any ftrace pages both in\n     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().(CVE-2024-38588)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Fix deadlock on SRQ async events.\r\n\r\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.(CVE-2024-38591)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\r\n\r\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\r\n\r\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\r\n\r\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tvalue changed: 0x01 -> 0x03\r\n\r\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\r\n\r\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in(CVE-2024-38596)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nring-buffer: Fix a race between readers and resize checks\r\n\r\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\r\n\r\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\r\n\r\n[  190.271762] ------------[ cut here ]------------\n[  190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[  190.271789] Modules linked in: [...]\n[  190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[  190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G            E      6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[  190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[  190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[  190.272023] Code: [...]\n[  190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[  190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[  190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[  190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[  190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[  190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[  190.272053] FS:  00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[  190.272057] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[  190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  190.272077] Call Trace:\n[  190.272098]  <TASK>\n[  190.272189]  ring_buffer_resize+0x2ab/0x460\n[  190.272199]  __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[  190.272206]  tracing_resize_ring_buffer+0x65/0x90\n[  190.272216]  tracing_entries_write+0x74/0xc0\n[  190.272225]  vfs_write+0xf5/0x420\n[  190.272248]  ksys_write+0x67/0xe0\n[  190.272256]  do_syscall_64+0x82/0x170\n[  190.272363]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  190.272373] RIP: 0033:0x7f1bd657d263\n[  190.272381] Code: [...]\n[  190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[  190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[  190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[  190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[  190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[  190.272412]  </TASK>\n[  190.272414] ---[ end trace 0000000000000000 ]---\r\n\r\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\r\n\r\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\r\n\r\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++)  /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\r\n\r\n.. \n---truncated---(CVE-2024-38601)",
+    "cves": [
+      {
+        "id": "CVE-2024-38601",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38601",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1597": {
+    "id": "openEuler-SA-2022-1597",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1597",
+    "title": "An update for grub2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.(CVE-2021-3981)",
+    "cves": [
+      {
+        "id": "CVE-2021-3981",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3981",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1487": {
+    "id": "openEuler-SA-2022-1487",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1487",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Ghostscript is an interpreter for PostScript and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nGhostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp).(CVE-2021-45949)\r\n\r\nGhostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called from sampled_data_continue and interp).(CVE-2021-45944)",
+    "cves": [
+      {
+        "id": "CVE-2021-45944",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45944",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1055": {
+    "id": "openEuler-SA-2021-1055",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1055",
+    "title": "An update for librepo is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A library providing C and Python (libcURL like) API to downloading repository metadata.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.(CVE-2020-14352)",
+    "cves": [
+      {
+        "id": "CVE-2020-14352",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14352",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1532": {
+    "id": "openEuler-SA-2024-1532",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1532",
+    "title": "An update for fdupes is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "FDUPES is a program for identifying duplicate files residing within specified directories.\r\n\r\nSecurity Fix(es):\r\n\r\nIn deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.(CVE-2022-48682)",
+    "cves": [
+      {
+        "id": "CVE-2022-48682",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48682",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1652": {
+    "id": "openEuler-SA-2023-1652",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1652",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a failure in validating the length provided by an attacker-crafted CP2179 packet, Wireshark versions 2.0.0 through 4.0.7 is susceptible to a divide by zero allowing for a denial of service attack.\n(CVE-2023-2906)\r\n\r\niSCSI dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file(CVE-2023-3649)\r\n\r\nBT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file(CVE-2023-4511)\r\n\r\nBT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file(CVE-2023-4513)",
+    "cves": [
+      {
+        "id": "CVE-2023-4513",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4513",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1459": {
+    "id": "openEuler-SA-2024-1459",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1459",
+    "title": "An update for libdwarf is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002)",
+    "cves": [
+      {
+        "id": "CVE-2024-2002",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1448": {
+    "id": "openEuler-SA-2021-1448",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1448",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "MySQL client programs and shared libraries.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35645)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35643)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2021-35640)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35644)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35647)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35641)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35646)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35642)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35648)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35575)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35622)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via MySQL Protcol to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35577)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2021-35621)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35637)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35636)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35632)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35639)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35628)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35634)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35635)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-35630)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35638)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35633)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35631)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L).(CVE-2021-35618)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35623)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Error Handling). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35596)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2481)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35602)\r\n\r\nVulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).(CVE-2021-2471)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35591)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35625)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35604)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35607)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-35624)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35626)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2479)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2478)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35608)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35627)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35610)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35546)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35612)\r\n\r\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35597)",
+    "cves": [
+      {
+        "id": "CVE-2021-35597",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35597",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2105": {
+    "id": "openEuler-SA-2022-2105",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2105",
+    "title": "An update for xfce4-settings is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package includes the settings manager applications for the Xfce desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.(CVE-2022-45062)",
+    "cves": [
+      {
+        "id": "CVE-2022-45062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45062",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1576": {
+    "id": "openEuler-SA-2023-1576",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1576",
+    "title": "An update for postgresql is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nIN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)",
+    "cves": [
+      {
+        "id": "CVE-2023-39417",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1489": {
+    "id": "openEuler-SA-2023-1489",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1489",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications.\n\r\n\r\nSecurity Fix(es):\r\n\r\nQt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.(CVE-2023-24607)\r\n\r\nAn issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.(CVE-2023-32762)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.(CVE-2023-32763)",
+    "cves": [
+      {
+        "id": "CVE-2023-32763",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1471": {
+    "id": "openEuler-SA-2021-1471",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1471",
+    "title": "An update for lapack is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The LAPACK libraries for numerical linear algebra.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.(CVE-2021-4048)",
+    "cves": [
+      {
+        "id": "CVE-2021-4048",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4048",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1613": {
+    "id": "openEuler-SA-2023-1613",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1613",
+    "title": "An update for poppler is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\ Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\ the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.(CVE-2020-23804)\r\n\r\nIn Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.(CVE-2022-37050)\r\n\r\nAn issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.(CVE-2022-37051)\r\n\r\nA reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.(CVE-2022-37052)\r\n\r\nAn issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.(CVE-2022-38349)",
+    "cves": [
+      {
+        "id": "CVE-2022-38349",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38349",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1610": {
+    "id": "openEuler-SA-2024-1610",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1610",
+    "title": "An update for ruby is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.(CVE-2024-27282)",
+    "cves": [
+      {
+        "id": "CVE-2024-27282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1785": {
+    "id": "openEuler-SA-2023-1785",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1785",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.(CVE-2023-3255)",
+    "cves": [
+      {
+        "id": "CVE-2023-3255",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3255",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1094": {
+    "id": "openEuler-SA-2024-1094",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1094",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553)\r\n\r\nA vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.(CVE-2024-0567)",
+    "cves": [
+      {
+        "id": "CVE-2024-0567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1768": {
+    "id": "openEuler-SA-2024-1768",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1768",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: SOF: Fix DSP oops stack dump output contents\r\n\r\nFix @buf arg given to hex_dump_to_buffer() and stack address used\nin dump error output.(CVE-2021-47381)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: iscsi: Fix iscsi_task use after free\r\n\r\nCommit d39df158518c (\"scsi: iscsi: Have abort handler get ref to conn\")\nadded iscsi_get_conn()/iscsi_put_conn() calls during abort handling but\nthen also changed the handling of the case where we detect an already\ncompleted task where we now end up doing a goto to the common put/cleanup\ncode. This results in a iscsi_task use after free, because the common\ncleanup code will do a put on the iscsi_task.\r\n\r\nThis reverts the goto and moves the iscsi_get_conn() to after we've checked\nif the iscsi_task is valid.(CVE-2021-47427)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: Fix deadlock when adding SPI controllers on SPI buses\r\n\r\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled.  This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock.  Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\r\n\r\nThis can be easily triggered in the case of spi-mux.(CVE-2021-47469)\r\n\r\n(CVE-2023-39180)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52696)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: core: Run atomic i2c xfer when !preemptible\r\n\r\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\r\n\r\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\r\n\r\n[   12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[   12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[   12.742376]  schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[   12.749179]  wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[   12.994527]  atomic_notifier_call_chain from machine_restart+0x34/0x58\n[   13.001050]  machine_restart from panic+0x2a8/0x32c\r\n\r\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.(CVE-2023-52791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhid: cp2112: Fix duplicate workqueue initialization\r\n\r\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\r\n\r\nInitialize the workqueue within _probe instead.(CVE-2023-52853)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix UAF issue in ksmbd_tcp_new_connection()\r\n\r\nThe race is between the handling of a new TCP connection and\nits disconnection. It leads to UAF on `struct tcp_transport` in\nksmbd_tcp_new_connection() function.(CVE-2024-26592)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\r\n\r\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\r\n\r\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\r\n\r\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\r\n\r\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x167/0x540 mm/kasan/report.c:488\n  kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n  inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n  ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n  ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n  inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n </TASK>\r\n\r\nAllocated by task 23037:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3981 [inline]\n  __kmalloc+0x22e/0x490 mm/slub.c:3994\n  kmalloc include/linux/slab.h:594 [inline]\n  kzalloc include/linux/slab.h:711 [inline]\n  fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n  ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n  ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n  inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\r\n\r\nFreed by task 16:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n  poison_slab_object+0xa6/0xe0 m\n---truncated---(CVE-2024-26852)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: inet_defrag: prevent sk release while still in use\r\n\r\nip_local_out() and other functions can pass skb->sk as function argument.\r\n\r\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\r\n\r\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\r\n\r\nEric Dumazet made an initial analysis of this bug.  Quoting Eric:\n  Calling ip_defrag() in output path is also implying skb_orphan(),\n  which is buggy because output path relies on sk not disappearing.\r\n\r\n  A relevant old patch about the issue was :\n  8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\r\n\r\n  [..]\r\n\r\n  net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n  inet socket, not an arbitrary one.\r\n\r\n  If we orphan the packet in ipvlan, then downstream things like FQ\n  packet scheduler will not work properly.\r\n\r\n  We need to change ip_defrag() to only use skb_orphan() when really\n  needed, ie whenever frag_list is going to be used.\r\n\r\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\r\n\r\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\r\n\r\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\r\n\r\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\r\n\r\nIn the former case, things work as before, skb is orphaned.  This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\r\n\r\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix unremoved procfs host directory regression\r\n\r\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\r\n\r\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\r\n\r\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\r\n\r\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\r\n\r\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\r\n\r\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.(CVE-2024-26935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninit/main.c: Fix potential static_command_line memory overflow\r\n\r\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\r\n\r\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\r\n\r\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")(CVE-2024-26988)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to avoid potential panic during recovery\r\n\r\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\r\n\r\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\r\n\r\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.(CVE-2024-27032)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: Fix clk_core_get NULL dereference\r\n\r\nIt is possible for clk_core_get to dereference a NULL in the following\nsequence:\r\n\r\nclk_core_get()\n    of_clk_get_hw_from_clkspec()\n        __of_clk_get_hw_from_provider()\n            __clk_get_hw()\r\n\r\n__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at\nhw->core.\r\n\r\nPrior to commit dde4eff47c82 (\"clk: Look for parents with clkdev based\nclk_lookups\") the check IS_ERR_OR_NULL() was performed which would have\ncaught the NULL.\r\n\r\nReading the description of this function it talks about returning NULL but\nthat cannot be so at the moment.\r\n\r\nUpdate the function to check for hw before dereferencing it and return NULL\nif hw is NULL.(CVE-2024-27038)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: phy: fix phy_get_internal_delay accessing an empty array\r\n\r\nThe phy_get_internal_delay function could try to access to an empty\narray in the case that the driver is calling phy_get_internal_delay\nwithout defining delay_values and rx-internal-delay-ps or\ntx-internal-delay-ps is defined to 0 in the device-tree.\nThis will lead to \"unable to handle kernel NULL pointer dereference at\nvirtual address 0\". To avoid this kernel oops, the test should be delay\n>= 0. As there is already delay < 0 test just before, the test could\nonly be size == 0.(CVE-2024-27047)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work\r\n\r\nThe workqueue might still be running, when the driver is stopped. To\navoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().(CVE-2024-27052)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wilc1000: fix RCU usage in connect path\r\n\r\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\r\n\r\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\r\n\r\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data(CVE-2024-27053)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()\r\n\r\nIt seems that if userspace provides a correct IFA_TARGET_NETNSID value\nbut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()\nreturns -EINVAL with an elevated \"struct net\" refcount.(CVE-2024-27417)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\r\n\r\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\r\n\r\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\r\n\r\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\r\n\r\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\r\n\r\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\r\n\r\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\r\n\r\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\r\n\r\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\r\n\r\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\r\n\r\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\r\n\r\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\r\n\r\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\r\n\r\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\r\n\r\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\r\n\r\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\r\n\r\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free](CVE-2024-35811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\r\n\r\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.(CVE-2024-35817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: tc358743: register v4l2 async device only after successful setup\r\n\r\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.(CVE-2024-35830)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndyndbg: fix old BUG_ON in >control parser\r\n\r\nFix a BUG_ON from 2009.  Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.(CVE-2024-35947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix division by zero in setup_dsc_config\r\n\r\nWhen slice_height is 0, the division by slice_height in the calculation\nof the number of slices will cause a division by zero driver crash. This\nleaves the kernel in a state that requires a reboot. This patch adds a\ncheck to avoid the division by zero.\r\n\r\nThe stack trace below is for the 6.8.4 Kernel. I reproduced the issue on\na Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor\nconnected via Thunderbolt. The amdgpu driver crashed with this exception\nwhen I rebooted the system with the monitor connected.\r\n\r\nkernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447)\nkernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2))\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548)\nkernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu\nkernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu\r\n\r\nAfter applying this patch, the driver no longer crashes when the monitor\nis connected and the system is rebooted. I believe this is the same\nissue reported for 3113.(CVE-2024-36969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\r\n\r\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.(CVE-2024-36978)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: xmit: make sure we have at least eth header len bytes\r\n\r\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\r\n\r\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\r\n\r\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-38538)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Fix UAF for cq async event\r\n\r\nThe refcount of CQ is not protected by locks. When CQ asynchronous\nevents and CQ destruction are concurrent, CQ may have been released,\nwhich will cause UAF.\r\n\r\nUse the xa_lock() to protect the CQ refcount.(CVE-2024-38545)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\r\n\r\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\r\n\r\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.(CVE-2024-38549)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Discard command completions in internal error\r\n\r\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\r\n\r\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n<IRQ>\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x22/0x40(CVE-2024-38555)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/perf: hisi_pcie: Fix out-of-bound access when valid event group\r\n\r\nThe perf tool allows users to create event groups through following\ncmd [1], but the driver does not check whether the array index is out of\nbounds when writing data to the event_group array. If the number of events\nin an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write\noverflow of event_group array occurs.\r\n\r\nAdd array index check to fix the possible array out of bounds violation,\nand return directly when write new events are written to array bounds.\r\n\r\nThere are 9 different events in an event_group.\n[1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}'(CVE-2024-38569)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Fix deadlock on SRQ async events.\r\n\r\nxa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/\nxa_erase_irq() to avoid deadlock.(CVE-2024-38591)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nring-buffer: Fix a race between readers and resize checks\r\n\r\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\r\n\r\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\r\n\r\n[  190.271762] ------------[ cut here ]------------\n[  190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[  190.271789] Modules linked in: [...]\n[  190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[  190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G            E      6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[  190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[  190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[  190.272023] Code: [...]\n[  190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[  190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[  190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[  190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[  190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[  190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[  190.272053] FS:  00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[  190.272057] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[  190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  190.272077] Call Trace:\n[  190.272098]  <TASK>\n[  190.272189]  ring_buffer_resize+0x2ab/0x460\n[  190.272199]  __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[  190.272206]  tracing_resize_ring_buffer+0x65/0x90\n[  190.272216]  tracing_entries_write+0x74/0xc0\n[  190.272225]  vfs_write+0xf5/0x420\n[  190.272248]  ksys_write+0x67/0xe0\n[  190.272256]  do_syscall_64+0x82/0x170\n[  190.272363]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  190.272373] RIP: 0033:0x7f1bd657d263\n[  190.272381] Code: [...]\n[  190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[  190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[  190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[  190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[  190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[  190.272412]  </TASK>\n[  190.272414] ---[ end trace 0000000000000000 ]---\r\n\r\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\r\n\r\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\r\n\r\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++)  /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\r\n\r\n.. \n---truncated---(CVE-2024-38601)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\r\n\r\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\r\n\r\n  WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n  ...\n  Workqueue: max3100-0 max3100_work [max3100]\n  RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n  ...\n   max3100_handlerx+0xc5/0x110 [max3100]\n   max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Allow delete from sockmap/sockhash only if update is allowed\r\n\r\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\r\n\r\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\r\n\r\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.(CVE-2024-38662)",
+    "cves": [
+      {
+        "id": "CVE-2024-38662",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2028": {
+    "id": "openEuler-SA-2022-2028",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2028",
+    "title": "An update for nodejs-minimatch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Converts glob expressions to JavaScript \"RegExp\" objects.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.(CVE-2022-3517)",
+    "cves": [
+      {
+        "id": "CVE-2022-3517",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1180": {
+    "id": "openEuler-SA-2024-1180",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1180",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nTransmit requests in Xen's virtual network protocol can consist of\nmultiple parts.  While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all.  Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments.  Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n(CVE-2023-46838)\r\n\r\nA flaw in the routing table size was found in the ICMPv6 handling of \"Packet Too Big\". The size of the routing table is regulated by periodic garbage collection. However, with \"Packet Too Big Messages\" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-52340)\r\n\r\nA denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.(CVE-2024-0639)\r\n\r\nA null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2024-0841)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\r\n\r\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\r\n\r\n(CVE-2024-1086)\r\n\r\nIn rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849)",
+    "cves": [
+      {
+        "id": "CVE-2024-23849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1146": {
+    "id": "openEuler-SA-2023-1146",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1146",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Linux kernel does not correctly mitigate SMT attacks, as discovered\nthrough a strange pattern in the kernel API using STIBP as a mitigation[1\n<https://docs.kernel.org/userspace-api/spec_ctrl.html>], leaving the\nprocess exposed for a short period of time after a syscall. The kernel also\ndoes not issue an IBPB immediately during the syscall.\nThe ib_prctl_set [2\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/cpu/bugs.c#L1467>]function\nupdates the Thread Information Flags (TIFs) for the task and updates the\nSPEC_CTRL MSR on the function __speculation_ctrl_update [3\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/process.c#L557>],\nbut the IBPB is only issued on the next schedule, when the TIF bits are\nchecked. This leaves the victim vulnerable to values already injected on\nthe BTB, prior to the prctl syscall.\nThe behavior is only corrected after a reschedule of the task happens.\nFurthermore, the kernel entrance (due to the syscall itself), does not\nissue an IBPB in the default scenarios (i.e., when the kernel protects\nitself via retpoline or eIBRS).(CVE-2023-0045)\r\n\r\nREMAP cmd of SVM driver can be used to remap read only memory as read-write, then cause read only memory/file modified..(CVE-2021-33639)",
+    "cves": [
+      {
+        "id": "CVE-2021-33639",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33639",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1538": {
+    "id": "openEuler-SA-2023-1538",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1538",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.(CVE-2023-4128)",
+    "cves": [
+      {
+        "id": "CVE-2023-4128",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4128",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1630": {
+    "id": "openEuler-SA-2024-1630",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1630",
+    "title": "An update for nautilus is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "It's easier to manage your files for the GNOME desktop. Ability to browse directories on local and remote systems. preview folders and launch related programs. It is also handle icons on the GNOME desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.(CVE-2022-37290)",
+    "cves": [
+      {
+        "id": "CVE-2022-37290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1176": {
+    "id": "openEuler-SA-2024-1176",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1176",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nTransmit requests in Xen's virtual network protocol can consist of\nmultiple parts.  While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all.  Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments.  Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n(CVE-2023-46838)\r\n\r\nA flaw in the routing table size was found in the ICMPv6 handling of \"Packet Too Big\". The size of the routing table is regulated by periodic garbage collection. However, with \"Packet Too Big Messages\" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-52340)\r\n\r\nA denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.(CVE-2024-0639)\r\n\r\nA null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2024-0841)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\r\n\r\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\r\n\r\n(CVE-2024-1086)\r\n\r\nIn rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849)",
+    "cves": [
+      {
+        "id": "CVE-2024-23849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1147": {
+    "id": "openEuler-SA-2021-1147",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1147",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nAn OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).(CVE-2021-3449)",
+    "cves": [
+      {
+        "id": "CVE-2021-3449",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3449",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1470": {
+    "id": "openEuler-SA-2021-1470",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1470",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Metrics dashboard and graph editor.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.(CVE-2021-43813)",
+    "cves": [
+      {
+        "id": "CVE-2021-43813",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43813",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1922": {
+    "id": "openEuler-SA-2022-1922",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1922",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nBlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.(CVE-2022-39177)\r\n\r\nBlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.(CVE-2022-39176)",
+    "cves": [
+      {
+        "id": "CVE-2022-39176",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39176",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1999": {
+    "id": "openEuler-SA-2023-1999",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1999",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881)",
+    "cves": [
+      {
+        "id": "CVE-2022-41881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1197": {
+    "id": "openEuler-SA-2023-1197",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1197",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIntel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.(CVE-2022-29901)\r\n\r\nA flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action \"mirred\") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.(CVE-2022-4269)\r\n\r\nA flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.(CVE-2023-1079)\r\n\r\n\nKernel: denial of service in tipc_conn_close(CVE-2023-1382)\r\n\r\ndo_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).(CVE-2023-28466)\r\n\r\nUse After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.(CVE-2023-1281)",
+    "cves": [
+      {
+        "id": "CVE-2023-1382",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-1281",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1954": {
+    "id": "openEuler-SA-2023-1954",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1954",
+    "title": "An update for freeradius is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nIn freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.(CVE-2022-41859)",
+    "cves": [
+      {
+        "id": "CVE-2022-41859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41859",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1470": {
+    "id": "openEuler-SA-2024-1470",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1470",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.(CVE-2024-28835)",
+    "cves": [
+      {
+        "id": "CVE-2024-28835",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28835",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1391": {
+    "id": "openEuler-SA-2021-1391",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1391",
+    "title": "An update for rubygem-activeresource is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "REST on Rails. Wrap your RESTful web app with Ruby classes and work with them like Active Record models.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.(CVE-2020-8151)",
+    "cves": [
+      {
+        "id": "CVE-2020-8151",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8151",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1530": {
+    "id": "openEuler-SA-2023-1530",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1530",
+    "title": "An update for golang is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\n\nSecurity Fix(es):\n\nExtremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.(CVE-2023-29409)",
+    "cves": [
+      {
+        "id": "CVE-2023-29409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1503": {
+    "id": "openEuler-SA-2023-1503",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1503",
+    "title": "An update for snakeyaml is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.\r\n\r\nSecurity Fix(es):\r\n\r\nThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)",
+    "cves": [
+      {
+        "id": "CVE-2022-41854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1137": {
+    "id": "openEuler-SA-2023-1137",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1137",
+    "title": "An update for mujs is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "MuJS is a lightweight Javascript interpreter designed for embedding in other software to extend them with scripting capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA logical issue in O_getOwnPropertyDescriptor() in Artifex MuJS 1.0.0 through 1.3.x before 1.3.2 allows an attacker to achieve Remote Code Execution through memory corruption, via the loading of a crafted JavaScript file.(CVE-2022-44789)",
+    "cves": [
+      {
+        "id": "CVE-2022-44789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44789",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1143": {
+    "id": "openEuler-SA-2021-1143",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1143",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.\r\n\r\nSecurity Fix(es):\r\n\r\nNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.(CVE-2021-21290)",
+    "cves": [
+      {
+        "id": "CVE-2021-21290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1222": {
+    "id": "openEuler-SA-2023-1222",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1222",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nApache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.(CVE-2019-17567)",
+    "cves": [
+      {
+        "id": "CVE-2019-17567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1307": {
+    "id": "openEuler-SA-2021-1307",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1307",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nIn BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event.(CVE-2020-27153)",
+    "cves": [
+      {
+        "id": "CVE-2020-27153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27153",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1993": {
+    "id": "openEuler-SA-2023-1993",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1993",
+    "title": "An update for tar is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service.(CVE-2023-39804)",
+    "cves": [
+      {
+        "id": "CVE-2023-39804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1490": {
+    "id": "openEuler-SA-2022-1490",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1490",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "An XML parser library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960)\r\n\r\nlookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22825)\r\n\r\nstoreAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22827)\r\n\r\naddBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22822)\r\n\r\nnextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22826)\r\n\r\nbuild_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22823)\r\n\r\ndefineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22824)\r\n\r\nIn doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.(CVE-2021-46143)",
+    "cves": [
+      {
+        "id": "CVE-2021-46143",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1303": {
+    "id": "openEuler-SA-2021-1303",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1303",
+    "title": "An update for libass is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "libass is a portable subtitle renderer for the ASS/SSA (Advanced Substation Alpha/Substation Alpha)  subtitle format. It is mostly compatible with VSFilter.\r\n\r\nSecurity Fix(es):\r\n\r\nlibass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction.(CVE-2020-36430)",
+    "cves": [
+      {
+        "id": "CVE-2020-36430",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36430",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1903": {
+    "id": "openEuler-SA-2023-1903",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1903",
+    "title": "An update for vim is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.(CVE-2023-48706)",
+    "cves": [
+      {
+        "id": "CVE-2023-48706",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1461": {
+    "id": "openEuler-SA-2024-1461",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1461",
+    "title": "An update for libssh2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1453": {
+    "id": "openEuler-SA-2021-1453",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1453",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory overflow vulnerability was found in the Linux kernel’s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-3759)\r\n\r\nA race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3753)",
+    "cves": [
+      {
+        "id": "CVE-2021-3753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3753",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1100": {
+    "id": "openEuler-SA-2023-1100",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1100",
+    "title": "An update for rubygem-globalid is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "URIs for your models makes it easy to pass references around.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22799)",
+    "cves": [
+      {
+        "id": "CVE-2023-22799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1734": {
+    "id": "openEuler-SA-2023-1734",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1734",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n(CVE-2023-4504)",
+    "cves": [
+      {
+        "id": "CVE-2023-4504",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1481": {
+    "id": "openEuler-SA-2021-1481",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1481",
+    "title": "An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.(CVE-2021-44832)",
+    "cves": [
+      {
+        "id": "CVE-2021-44832",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1833": {
+    "id": "openEuler-SA-2023-1833",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1833",
+    "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nVMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-34058)\r\n\r\nopen-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the \n/dev/uinput file descriptor allowing them to simulate user inputs.(CVE-2023-34059)",
+    "cves": [
+      {
+        "id": "CVE-2023-34059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1644": {
+    "id": "openEuler-SA-2022-1644",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1644",
+    "title": "An update for rubygem-nokogiri is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Nokogiri parses and searches XML/HTML very quickly, and also has correctly implemented CSS3 selector support as well as XPath support. Nokogiri also features an Hpricot compatibility layer to help ease the change to using correct CSS and XPath.\n\r\nSecurity Fix(es):\r\n\r\nNokogiri is an open source XML and HTML library for Ruby. Nokogiri less than v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.(CVE-2022-24836)",
+    "cves": [
+      {
+        "id": "CVE-2022-24836",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1365": {
+    "id": "openEuler-SA-2023-1365",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1365",
+    "title": "An update for cpp-httplib is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.\r\n\r\n**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).(CVE-2023-26130)",
+    "cves": [
+      {
+        "id": "CVE-2023-26130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26130",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1403": {
+    "id": "openEuler-SA-2023-1403",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1403",
+    "title": "An update for tang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This package is a server for binding data to network presence. First, the client gets a list of the Tang server's advertised asymmetric keys. This can happen online by a simple HTTP GET. Alternatively, since the keys are asymmetric, the public key list can be distributed out of band. Second, the client uses one of these public keys to generate a unique, cryptographically strong encryption key. The data is then encrypted using this key. Once the data is encrypted, the key is discarded. Some small metadata is produced as part of this operation which the client should store in a convenient location. This process of encrypting data is the provisioning step. Third, when the client is ready to access its data, it simply loads the metadata produced in the provisioning step and performs an HTTP POST in order to recover the encryption key. This process is the recovery step.\n\nSecurity Fix(es):\n\nA race condition exists in the Tang server functionality for key generation and key rotation. This flaw results in a small time window where Tang private keys become readable by other processes on the same host.(CVE-2023-1672)",
+    "cves": [
+      {
+        "id": "CVE-2023-1672",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1672",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1416": {
+    "id": "openEuler-SA-2021-1416",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1416",
+    "title": "An update for springframework is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The spring is based on code pubilshed in Expert One-on-One J2EE Design and Dvelopment by Rod Johnson (Wrox, 2002).it is a layered Java/J2ee application framework.\r\n\r\nSecurity Fix(es):\r\n\r\nBoth Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.(CVE-2016-5007)",
+    "cves": [
+      {
+        "id": "CVE-2016-5007",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5007",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1786": {
+    "id": "openEuler-SA-2022-1786",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1786",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21349)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21540)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2022-21541)\r\n\r\nThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.(CVE-2022-34169)",
+    "cves": [
+      {
+        "id": "CVE-2022-34169",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1211": {
+    "id": "openEuler-SA-2024-1211",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1211",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.(CVE-2022-3479)",
+    "cves": [
+      {
+        "id": "CVE-2022-3479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1771": {
+    "id": "openEuler-SA-2024-1771",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1771",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.(CVE-2024-24789)",
+    "cves": [
+      {
+        "id": "CVE-2024-24789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24789",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1950": {
+    "id": "openEuler-SA-2022-1950",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1950",
+    "title": "An update for ansible is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\\\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.(CVE-2020-1739)\r\n\r\nA flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.(CVE-2020-1740)\r\n\r\nA flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.(CVE-2020-1735)\r\n\r\nA flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.(CVE-2020-10684)\r\n\r\nA flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.(CVE-2019-14904)\r\n\r\nA flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.(CVE-2020-1737)\r\n\r\nA flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.(CVE-2021-20191)\r\n\r\nA flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.(CVE-2020-10729)\r\n\r\nA security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.(CVE-2020-1753)",
+    "cves": [
+      {
+        "id": "CVE-2020-1753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1723": {
+    "id": "openEuler-SA-2024-1723",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1723",
+    "title": "An update for libndp is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "This package contains a library which provides a wrapper for IPv6 Neighbor Discovery Protocol. It also provides a tool named ndptool for sending and receiving NDP messages.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information.(CVE-2024-5564)",
+    "cves": [
+      {
+        "id": "CVE-2024-5564",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5564",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1790": {
+    "id": "openEuler-SA-2024-1790",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1790",
+    "title": "An update for glib2 is now available for openEuler-24.03-LTS",
+    "severity": "Low",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.(CVE-2024-34397)",
+    "cves": [
+      {
+        "id": "CVE-2024-34397",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1250": {
+    "id": "openEuler-SA-2023-1250",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1250",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.(CVE-2022-1015)\r\n\r\nAn out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).(CVE-2022-36280)\r\n\r\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.(CVE-2022-27672)\r\n\r\nAn issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.(CVE-2023-30456)\r\n\r\nA use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.(CVE-2023-1989)\r\n\r\nA use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\r\n\r\n(CVE-2023-1829)",
+    "cves": [
+      {
+        "id": "CVE-2023-1829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1214": {
+    "id": "openEuler-SA-2023-1214",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1214",
+    "title": "An update for zstd is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Zstd is a fast lossless compression algorithm. It's backed by a very fast entropy stage,provided by Huff0 and FSE library. It's a real-time compression scenario for zlib levels and has a better compression ratio.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.(CVE-2022-4899)",
+    "cves": [
+      {
+        "id": "CVE-2022-4899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1077": {
+    "id": "openEuler-SA-2021-1077",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1077",
+    "title": "An update for xmlbeans is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "XMLBeans is a tool that allows you to access the full power of XML in a Java friendly way. It is an XML-Java binding tool. The idea is that you can take advantage the richness and features of XML and XML Schema and have these features mapped as naturally as possible to the equivalent Java language and typing constructs. XMLBeans uses XML Schema to compile Java interfaces and classes that you can then use to access and modify XML instance data. Using XMLBeans is similar to using any other Java interface/class, you will see things like getFoo or setFoo just as you would expect when working with Java. While a major use of XMLBeans is to access your XML instance data with strongly typed Java classes there are also API's that allow you access to the full XML infoset (XMLBeans keeps full XML Infoset fidelity) as well as to allow you to reflect into the XML schema itself through an XML Schema Object model.\r\n\r\nSecurity Fix(es):\r\n\r\nThe XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.(CVE-2021-23926)",
+    "cves": [
+      {
+        "id": "CVE-2021-23926",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23926",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1174": {
+    "id": "openEuler-SA-2024-1174",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1174",
+    "title": "An update for freeglut is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Freeglut is a free-software/open-source alternative to the OpenGL Utility Toolkit (GLUT) library. GLUT was originally written to support the sample programs in the second edition OpenGL 'RedBook'. Since then, GLUT has been used in a wide variety of practical applications because it is simple, widely available and highly portable.\r\n\r\nSecurity Fix(es):\r\n\r\nfreeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.(CVE-2024-24258)\r\n\r\nfreeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.(CVE-2024-24259)",
+    "cves": [
+      {
+        "id": "CVE-2024-24259",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24259",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1660": {
+    "id": "openEuler-SA-2024-1660",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1660",
+    "title": "An update for cockpit is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse. It’s easy to start containers, administer storage, configure networks, and inspect logs with this package.\r\n\r\nSecurity Fix(es):\r\n\r\nAn SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states \"I don't think [it] is a big real-life issue.(CVE-2020-35850)",
+    "cves": [
+      {
+        "id": "CVE-2020-35850",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35850",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1472": {
+    "id": "openEuler-SA-2021-1472",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1472",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package    help Summary:          Documents for  Buildarch:        noarch Requires:         man info Provides:         -javadoc = - Obsoletes:        -javadoc < - %description help Man pages and other related documents for .\r\n\r\nSecurity Fix(es):\r\n\r\nNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch.(CVE-2021-43797)",
+    "cves": [
+      {
+        "id": "CVE-2021-43797",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1229": {
+    "id": "openEuler-SA-2021-1229",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1229",
+    "title": "An update for mojarra is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "JvaServer(TM) Faces technology simplifies building user interfaces for JavaServer applications. Developers of various skill levels can quickly build web applications by: assembling reusable UI components in a page; connecting these components to an application data source; and wiring client-generated events to server-side event handlers.\n\nSecurity Fix(es):\n\nDirectory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.(CVE-2020-6950)",
+    "cves": [
+      {
+        "id": "CVE-2020-6950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6950",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1985": {
+    "id": "openEuler-SA-2022-1985",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1985",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.(CVE-2022-1184)\n\nAn issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.(CVE-2022-39842)\n\nA race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition(CVE-2022-3303)\n\nAn issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.(CVE-2022-2663)",
+    "cves": [
+      {
+        "id": "CVE-2022-2663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1165": {
+    "id": "openEuler-SA-2021-1165",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1165",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.(CVE-2020-25097)",
+    "cves": [
+      {
+        "id": "CVE-2020-25097",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25097",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1019": {
+    "id": "openEuler-SA-2023-1019",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1019",
+    "title": "An update for samba is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nWindows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.(CVE-2022-37966)",
+    "cves": [
+      {
+        "id": "CVE-2022-37966",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37966",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1407": {
+    "id": "openEuler-SA-2023-1407",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1407",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34474)\n\nA heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34475)",
+    "cves": [
+      {
+        "id": "CVE-2023-34475",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34475",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1447": {
+    "id": "openEuler-SA-2024-1447",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1447",
+    "title": "An update for LibRaw is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.(CVE-2021-32142)",
+    "cves": [
+      {
+        "id": "CVE-2021-32142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1784": {
+    "id": "openEuler-SA-2024-1784",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1784",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().(CVE-2024-6387)",
+    "cves": [
+      {
+        "id": "CVE-2024-6387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6387",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1823": {
+    "id": "openEuler-SA-2023-1823",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1823",
+    "title": "An update for skopeo is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534)",
+    "cves": [
+      {
+        "id": "CVE-2023-24534",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1476": {
+    "id": "openEuler-SA-2023-1476",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1476",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.(CVE-2023-0664)\r\n\r\nA flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.(CVE-2023-2861)",
+    "cves": [
+      {
+        "id": "CVE-2023-2861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1678": {
+    "id": "openEuler-SA-2024-1678",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1678",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc3: ep0: fix NULL pointer exception\r\n\r\nThere is no validation of the index from dwc3_wIndex_to_dep() and we might\nbe referring a non-existing ep and trigger a NULL pointer exception. In\ncertain configurations we might use fewer eps and the index might wrongly\nindicate a larger ep index than existing.\r\n\r\nBy adding this validation from the patch we can actually report a wrong\nindex back to the caller.\r\n\r\nIn our usecase we are using a composite device on an older kernel, but\nupstream might use this fix also. Unfortunately, I cannot describe the\nhardware for others to reproduce the issue as it is a proprietary\nimplementation.\r\n\r\n[   82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4\n[   82.966891] Mem abort info:\n[   82.969663]   ESR = 0x96000006\n[   82.972703]   Exception class = DABT (current EL), IL = 32 bits\n[   82.978603]   SET = 0, FnV = 0\n[   82.981642]   EA = 0, S1PTW = 0\n[   82.984765] Data abort info:\n[   82.987631]   ISV = 0, ISS = 0x00000006\n[   82.991449]   CM = 0, WnR = 0\n[   82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc\n[   83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000\n[   83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP\n[   83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)\n[   83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1\n[   83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)\n[   83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c\n[   83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94\r\n\r\n...\r\n\r\n[   83.141788] Call trace:\n[   83.144227]  dwc3_ep0_handle_feature+0x414/0x43c\n[   83.148823]  dwc3_ep0_interrupt+0x3b4/0xc94\n[   83.181546] ---[ end trace aac6b5267d84c32f ]---(CVE-2021-47269)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nisdn: mISDN: netjet: Fix crash in nj_probe:\r\n\r\n'nj_setup' in netjet.c might fail with -EIO and in this case\n'card->irq' is initialized and is bigger than zero. A subsequent call to\n'nj_release' will free the irq that has not been requested.\r\n\r\nFix this bug by deleting the previous assignment to 'card->irq' and just\nkeep the assignment before 'request_irq'.\r\n\r\nThe KASAN's log reveals it:\r\n\r\n[    3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826\nfree_irq+0x100/0x480\n[    3.355112 ] Modules linked in:\n[    3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[    3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[    3.356552 ] RIP: 0010:free_irq+0x100/0x480\n[    3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18\n4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5\nff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80\n[    3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082\n[    3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:\n0000000000000000\n[    3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:\n00000000ffffffff\n[    3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:\n0000000000000000\n[    3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:\n0000000000000000\n[    3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:\nffff888104dc80a8\n[    3.360652 ] FS:  0000000000000000(0000) GS:ffff88817bc00000(0000)\nknlGS:0000000000000000\n[    3.361170 ] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4:\n00000000000006f0\n[    3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[    3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[    3.362175 ] Call Trace:\n[    3.362175 ]  nj_release+0x51/0x1e0\n[    3.362175 ]  nj_probe+0x450/0x950\n[    3.362175 ]  ? pci_device_remove+0x110/0x110\n[    3.362175 ]  local_pci_probe+0x45/0xa0\n[    3.362175 ]  pci_device_probe+0x12b/0x1d0\n[    3.362175 ]  really_probe+0x2a9/0x610\n[    3.362175 ]  driver_probe_device+0x90/0x1d0\n[    3.362175 ]  ? mutex_lock_nested+0x1b/0x20\n[    3.362175 ]  device_driver_attach+0x68/0x70\n[    3.362175 ]  __driver_attach+0x124/0x1b0\n[    3.362175 ]  ? device_driver_attach+0x70/0x70\n[    3.362175 ]  bus_for_each_dev+0xbb/0x110\n[    3.362175 ]  ? rdinit_setup+0x45/0x45\n[    3.362175 ]  driver_attach+0x27/0x30\n[    3.362175 ]  bus_add_driver+0x1eb/0x2a0\n[    3.362175 ]  driver_register+0xa9/0x180\n[    3.362175 ]  __pci_register_driver+0x82/0x90\n[    3.362175 ]  ? w6692_init+0x38/0x38\n[    3.362175 ]  nj_init+0x36/0x38\n[    3.362175 ]  do_one_initcall+0x7f/0x3d0\n[    3.362175 ]  ? rdinit_setup+0x45/0x45\n[    3.362175 ]  ? rcu_read_lock_sched_held+0x4f/0x80\n[    3.362175 ]  kernel_init_freeable+0x2aa/0x301\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  kernel_init+0x18/0x190\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  ret_from_fork+0x1f/0x30\n[    3.362175 ] Kernel panic - not syncing: panic_on_warn set ...\n[    3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[    3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[    3.362175 ] Call Trace:\n[    3.362175 ]  dump_stack+0xba/0xf5\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  panic+0x15a/0x3f2\n[    3.362175 ]  ? __warn+0xf2/0x150\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  __warn+0x108/0x150\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  report_bug+0x119/0x1c0\n[    3.362175 ]  handle_bug+0x3b/0x80\n[    3.362175 ]  exc_invalid_op+0x18/0x70\n[    3.362175 ]  asm_exc_invalid_op+0x12/0x20\n[    3.362175 ] RIP: 0010:free_irq+0x100\n---truncated---(CVE-2021-47284)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances\r\n\r\nAs syzbot reported, there is an use-after-free issue during f2fs recovery:\r\n\r\nUse-after-free write at 0xffff88823bc16040 (in kfence-#10):\n kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486\n f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869\n f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945\n mount_bdev+0x26c/0x3a0 fs/super.c:1367\n legacy_get_tree+0xea/0x180 fs/fs_context.c:592\n vfs_get_tree+0x86/0x270 fs/super.c:1497\n do_new_mount fs/namespace.c:2905 [inline]\n path_mount+0x196f/0x2be0 fs/namespace.c:3235\n do_mount fs/namespace.c:3248 [inline]\n __do_sys_mount fs/namespace.c:3456 [inline]\n __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433\n do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nThe root cause is multi f2fs filesystem instances can race on accessing\nglobal fsync_entry_slab pointer, result in use-after-free issue of slab\ncache, fixes to init/destroy this slab cache only once during module\ninit/destroy procedure to avoid this issue.(CVE-2021-47335)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs\r\n\r\nFan speed minimum can be enforced from sysfs. For example, setting\ncurrent fan speed to 20 is used to enforce fan speed to be at 100%\nspeed, 19 - to be not below 90% speed, etcetera. This feature provides\nability to limit fan speed according to some system wise\nconsiderations, like absence of some replaceable units or high system\nambient temperature.\r\n\r\nRequest for changing fan minimum speed is configuration request and can\nbe set only through 'sysfs' write procedure. In this situation value of\nargument 'state' is above nominal fan speed maximum.\r\n\r\nReturn non-zero code in this case to avoid\nthermal_cooling_device_stats_update() call, because in this case\nstatistics update violates thermal statistics table range.\nThe issues is observed in case kernel is configured with option\nCONFIG_THERMAL_STATISTICS.\r\n\r\nHere is the trace from KASAN:\n[  159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0\n[  159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444\n[  159.545625] Call Trace:\n[  159.548366]  dump_stack+0x92/0xc1\n[  159.552084]  ? thermal_cooling_device_stats_update+0x7d/0xb0\n[  159.635869]  thermal_zone_device_update+0x345/0x780\n[  159.688711]  thermal_zone_device_set_mode+0x7d/0xc0\n[  159.694174]  mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]\n[  159.700972]  ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]\n[  159.731827]  mlxsw_thermal_init+0x763/0x880 [mlxsw_core]\n[  160.070233] RIP: 0033:0x7fd995909970\n[  160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..\n[  160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970\n[  160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001\n[  160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700\n[  160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013\n[  160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013\n[  160.143671]\n[  160.145338] Allocated by task 2924:\n[  160.149242]  kasan_save_stack+0x19/0x40\n[  160.153541]  __kasan_kmalloc+0x7f/0xa0\n[  160.157743]  __kmalloc+0x1a2/0x2b0\n[  160.161552]  thermal_cooling_device_setup_sysfs+0xf9/0x1a0\n[  160.167687]  __thermal_cooling_device_register+0x1b5/0x500\n[  160.173833]  devm_thermal_of_cooling_device_register+0x60/0xa0\n[  160.180356]  mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]\n[  160.248140]\n[  160.249807] The buggy address belongs to the object at ffff888116163400\n[  160.249807]  which belongs to the cache kmalloc-1k of size 1024\n[  160.263814] The buggy address is located 64 bytes to the right of\n[  160.263814]  1024-byte region [ffff888116163400, ffff888116163800)\n[  160.277536] The buggy address belongs to the page:\n[  160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160\n[  160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0\n[  160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)\n[  160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0\n[  160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000\n[  160.327033] page dumped because: kasan: bad access detected\n[  160.333270]\n[  160.334937] Memory state around the buggy address:\n[  160.356469] >ffff888116163800: fc ..(CVE-2021-47393)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nptp: Fix possible memory leak in ptp_clock_register()\r\n\r\nI got memory leak as follows when doing fault injection test:\r\n\r\nunreferenced object 0xffff88800906c618 (size 8):\n  comm \"i2c-idt82p33931\", pid 4421, jiffies 4294948083 (age 13.188s)\n  hex dump (first 8 bytes):\n    70 74 70 30 00 00 00 00                          ptp0....\n  backtrace:\n    [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0\n    [<0000000079f6e2ff>] kvasprintf+0xb5/0x150\n    [<0000000026aae54f>] kvasprintf_const+0x60/0x190\n    [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150\n    [<000000004e35abdd>] dev_set_name+0xc0/0x100\n    [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]\n    [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]\r\n\r\nWhen posix_clock_register() returns an error, the name allocated\nin dev_set_name() will be leaked, the put_device() should be used\nto give up the device reference, then the name will be freed in\nkobject_cleanup() and other memory will be freed in ptp_clock_release().(CVE-2021-47455)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()\r\n\r\nCommit 8c0eb596baa5 (\"[SCSI] qla2xxx: Fix a memory leak in an error path of\nqla2x00_process_els()\"), intended to change:\r\n\r\n        bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN\r\n\r\n\n        bsg_job->request->msgcode != FC_BSG_RPT_ELS\r\n\r\nbut changed it to:\r\n\r\n        bsg_job->request->msgcode == FC_BSG_RPT_ELS\r\n\r\ninstead.\r\n\r\nChange the == to a != to avoid leaking the fcport structure or freeing\nunallocated memory.(CVE-2021-47473)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmem: Fix shift-out-of-bound (UBSAN) with byte size cells\r\n\r\nIf a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic\r\n\r\n *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);\r\n\r\nwill become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we\nsubtract one from that making a large number that is then shifted more than the\nnumber of bits that fit into an unsigned long.\r\n\r\nUBSAN reports this problem:\r\n\r\n UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8\n shift exponent 64 is too large for 64-bit type 'unsigned long'\n CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9\n Hardware name: Google Lazor (rev3+) with KB Backlight (DT)\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n  dump_backtrace+0x0/0x170\n  show_stack+0x24/0x30\n  dump_stack_lvl+0x64/0x7c\n  dump_stack+0x18/0x38\n  ubsan_epilogue+0x10/0x54\n  __ubsan_handle_shift_out_of_bounds+0x180/0x194\n  __nvmem_cell_read+0x1ec/0x21c\n  nvmem_cell_read+0x58/0x94\n  nvmem_cell_read_variable_common+0x4c/0xb0\n  nvmem_cell_read_variable_le_u32+0x40/0x100\n  a6xx_gpu_init+0x170/0x2f4\n  adreno_bind+0x174/0x284\n  component_bind_all+0xf0/0x264\n  msm_drm_bind+0x1d8/0x7a0\n  try_to_bring_up_master+0x164/0x1ac\n  __component_add+0xbc/0x13c\n  component_add+0x20/0x2c\n  dp_display_probe+0x340/0x384\n  platform_probe+0xc0/0x100\n  really_probe+0x110/0x304\n  __driver_probe_device+0xb8/0x120\n  driver_probe_device+0x4c/0xfc\n  __device_attach_driver+0xb0/0x128\n  bus_for_each_drv+0x90/0xdc\n  __device_attach+0xc8/0x174\n  device_initial_probe+0x20/0x2c\n  bus_probe_device+0x40/0xa4\n  deferred_probe_work_func+0x7c/0xb8\n  process_one_work+0x128/0x21c\n  process_scheduled_works+0x40/0x54\n  worker_thread+0x1ec/0x2a8\n  kthread+0x138/0x158\n  ret_from_fork+0x10/0x20\r\n\r\nFix it by making sure there are any bits to mask out.(CVE-2021-47497)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: mpt3sas: Fix use-after-free warning\r\n\r\nFix the following use-after-free warning which is observed during\ncontroller reset:\r\n\r\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0(CVE-2022-48695)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmet: fix a use-after-free\r\n\r\nFix the following use-after-free complaint triggered by blktests nvme/004:\r\n\r\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30(CVE-2022-48697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\r\n\r\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\r\n\r\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\r\n\r\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\r\n\r\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G        W IOE      6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002    07/22/2010\nCall Trace:\n<TASK>\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd(CVE-2022-48702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: add a force flush to delay work when radeon\r\n\r\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [<ffffffff811bea5c>]  ra = [<ffffffff81240844>]  ps = 0000 Tainted: G        W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000  t0 = fff08800e0008010  t1 = 0000000000010000\nt2 = 0000000000008010  t3 = fff00007e3c00000  t4 = fff00007e3c00258\nt5 = 000000000000ffff  t6 = 0000000000000001  t7 = fff00007ef078000\ns0 = fff00007e3c016e8  s1 = fff00007e3c00000  s2 = fff00007e3c00018\ns3 = fff00007e3c00000  s4 = fff00007fff59d80  s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000  a1 = fff00007e3c016e8  a2 = 0000000000000008\na3 = 0000000000000001  a4 = 8f5c28f5c28f5c29  a5 = ffffffff810f4338\nt8 = 0000000000000275  t9 = ffffffff809b66f8  t10 = ff6769c5d964b800\nt11= 000000000000b886  pv = ffffffff811bea20  at = 0000000000000000\ngp = ffffffff81d89690  sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0\n[<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290\n[<ffffffff80977010>] process_one_work+0x280/0x550\n[<ffffffff80977350>] worker_thread+0x70/0x7c0\n[<ffffffff80977410>] worker_thread+0x130/0x7c0\n[<ffffffff80982040>] kthread+0x200/0x210\n[<ffffffff809772e0>] worker_thread+0x0/0x7c0\n[<ffffffff80981f8c>] kthread+0x14c/0x210\n[<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20\n[<ffffffff80981e40>] kthread+0x0/0x210\n Code: ad3e0008  43f0074a  ad7e0018  ad9e0020  8c3001e8  40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.(CVE-2022-48704)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: fix a possible null pointer dereference\r\n\r\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\r\n\r\nThe failure status of drm_cvt_mode() on the other path is checked too.(CVE-2022-48710)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\r\n\r\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.(CVE-2023-52650)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNTB: fix possible name leak in ntb_register_device()\r\n\r\nIf device_register() fails in ntb_register_device(), the device name\nallocated by dev_set_name() should be freed. As per the comment in\ndevice_register(), callers should use put_device() to give up the\nreference in the error path. So fix this by calling put_device() in the\nerror path so that the name can be freed in kobject_cleanup().\r\n\r\nAs a result of this, put_device() in the error path of\nntb_register_device() is removed and the actual error is returned.\r\n\r\n[mani: reworded commit message](CVE-2023-52652)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: fix a memleak in gss_import_v2_context\r\n\r\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\r\n\r\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.(CVE-2023-52653)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: drop any code related to SCM_RIGHTS\r\n\r\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.(CVE-2023-52656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: LPIT: Avoid u32 multiplication overflow\r\n\r\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\r\n\r\nChange multiplication to mul_u32_u32().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52683)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type.  Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there's no cast to\nany 64-bit type before multiplication.  Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/pm: fix a double-free in si_dpm_init\r\n\r\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.(CVE-2023-52691)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncalipso: fix memory leak in netlbl_calipso_add_pass()\r\n\r\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n  comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n  hex dump (first 32 bytes):\n    00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<...>] kmalloc include/linux/slab.h:552 [inline]\n    [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n    [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n    [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n    [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n    [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n    [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n    [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n    [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n    [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n    [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n    [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n    [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n    [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n    [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n    [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n    [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n    [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\r\n\r\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\r\n\r\n[PM: merged via the LSM tree at Jakub Kicinski request](CVE-2023-52698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\r\n\r\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\r\n\r\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636]  <TASK>\n[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002]  full_proxy_read+0x5c/0x80\n[4005007.703011]  vfs_read+0x9f/0x1a0\n[4005007.703019]  ksys_read+0x67/0xe0\n[4005007.703023]  __x64_sys_read+0x19/0x20\n[4005007.703028]  do_syscall_64+0x5c/0xc0\n[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052]  ? irqentry_exit+0x19/0x30\n[4005007.703057]  ? exc_page_fault+0x89/0x160\n[4005007.703062]  ? asm_exc_page_fault+0x8/0x30\n[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105]  </TASK>\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---(CVE-2023-52817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/core: Bail out early if the request AUX area is out of bound\r\n\r\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)\r\n\r\nand it reveals a WARNING with __alloc_pages():\r\n\r\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\r\n\r\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\r\n\r\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)(CVE-2023-52835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\r\n\r\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.(CVE-2023-52840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: bttv: fix use after free error due to btv->timeout timer\r\n\r\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\r\n\r\nThis bug is found by static analysis, it may be false positive.\r\n\r\nFix it by adding del_timer_sync invoking to the remove function.\r\n\r\ncpu0                cpu1\n                  bttv_probe\n                    ->timer_setup\n                      ->bttv_set_dma\n                        ->mod_timer;\nbttv_remove\n  ->kfree(btv);\n                  ->bttv_irq_timeout\n                    ->USE btv(CVE-2023-52847)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: possible buffer overflow\r\n\r\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.(CVE-2023-52867)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nthermal: core: prevent potential string overflow\r\n\r\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX.  If it's too high then these sprintf()s will overflow.(CVE-2023-52868)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: prevent kernel bug at submit_bh_wbc()\r\n\r\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently.  If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\r\n\r\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.(CVE-2024-26955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\r\n\r\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\r\n\r\nThis resolves a kernel BUG reported by syzbot.  Since there are two\nflaws involved, I've made each one a separate patch.\r\n\r\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\r\n\r\n\nThis patch (of 2):\r\n\r\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\r\n\r\nThere are two flaws involved in this issue.\r\n\r\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block().  This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\r\n\r\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state.  This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\r\n\r\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above.  Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.(CVE-2024-26956)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/zcrypt: fix reference counting on zcrypt card objects\r\n\r\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\r\n\r\nThis is an example of the slab message:\r\n\r\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8\n    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---(CVE-2024-26957)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: fix UAF in direct writes\r\n\r\nIn production we have been hitting the following warning consistently\r\n\r\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\r\n\r\nThis is because we're completing the nfs_direct_request twice in a row.\r\n\r\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\r\n\r\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\r\n\r\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\r\n\r\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\r\n\r\nnfs_commit_begin();\nnfs_commit_end();\r\n\r\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\r\n\r\nFix this by using the same pattern for the commit requests.\r\n\r\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.(CVE-2024-26958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: swap: fix race between free_swap_and_cache() and swapoff()\r\n\r\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\r\n\r\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\r\n\r\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\r\n\r\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\r\n\r\n--8<-----\r\n\r\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\r\n\r\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\r\n\r\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\r\n\r\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\r\n\r\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\r\n\r\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\r\n\r\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\r\n\r\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\r\n\r\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\r\n\r\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\r\n\r\n--8<-----(CVE-2024-26960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\r\n\r\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\r\n\r\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\r\n\r\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\r\n\r\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2024-26961)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qat - resolve race condition during AER recovery\r\n\r\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\r\n\r\nThis results in a KFENCE bug notice.\r\n\r\n  BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n  Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n  adf_device_reset_worker+0x38/0xa0 [intel_qat]\n  process_one_work+0x173/0x340\r\n\r\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.(CVE-2024-26974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\r\n\r\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\r\n\r\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\r\n\r\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\r\n\r\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\r\n\r\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\r\n\r\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\r\n\r\n        __kvm_vcpu_wake_up(vcpu);\r\n\r\n        mmput(mm);\r\n\r\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\r\n\r\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\r\n\r\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---(CVE-2024-26976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix OOB in nilfs_set_de_type\r\n\r\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\r\n\r\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\r\n\r\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\r\n\r\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied.  Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.(CVE-2024-26981)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSquashfs: check the inode number is not the invalid value of zero\r\n\r\nSyskiller has produced an out of bounds access in fill_meta_index().\r\n\r\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\r\n\r\nThe reason this causes the out of bounds access is due to following\nsequence of events:\r\n\r\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\r\n\r\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn't been, an out of bounds access is performed.\r\n\r\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\r\n\r\n[phillip@squashfs.org.uk: whitespace fix]\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk(CVE-2024-26982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\r\n\r\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path.  If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called).  As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\r\n\r\nFix the leak by adding an explicit kobject_put() call when kn is NULL.(CVE-2024-26993)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspeakup: Avoid crash on very long word\r\n\r\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.(CVE-2024-26994)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\r\n\r\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\r\n\r\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\r\n\r\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\r\n\r\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\r\n\r\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\r\n\r\n[function unlink via configfs]\n  usb0: eth_stop dev->port_usb=ffffff9b179c3200\n  --> error happens in usb_ep_enable().\n  NCM: ncm_disable: ncm=ffffff9b179c3200\n  --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm\r\n\r\n[function link via configfs]\n  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n  usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm\n  usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n  eth_start_xmit()\n  --> dev->wrap()\n  Unable to handle kernel paging request at virtual address dead00000000014f\r\n\r\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.(CVE-2024-26996)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\r\n\r\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\r\n\r\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\r\n\r\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\r\n\r\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\r\n\r\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.(CVE-2024-26999)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: mxs-auart: add spinlock around changing cts state\r\n\r\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\r\n\r\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)(CVE-2024-27000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: vmk80xx: fix incomplete endpoint checking\r\n\r\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\r\n\r\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\r\n\r\nThis patch has not been tested on real hardware.\r\n\r\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n <TASK>\n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\r\n\r\nSimilar issue also found by Syzkaller:(CVE-2024-27001)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: nv04: Fix out of bounds access\r\n\r\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\r\n\r\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: Fix mirred deadlock on device recursion\r\n\r\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\r\n\r\n[..... other info removed for brevity....]\n[   82.890906]\n[   82.890906] ============================================\n[   82.890906] WARNING: possible recursive locking detected\n[   82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G        W\n[   82.890906] --------------------------------------------\n[   82.890906] ping/418 is trying to acquire lock:\n[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[   82.890906]\n[   82.890906] but task is already holding lock:\n[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[   82.890906]\n[   82.890906] other info that might help us debug this:\n[   82.890906]  Possible unsafe locking scenario:\n[   82.890906]\n[   82.890906]        CPU0\n[   82.890906]        ----\n[   82.890906]   lock(&sch->q.lock);\n[   82.890906]   lock(&sch->q.lock);\n[   82.890906]\n[   82.890906]  *** DEADLOCK ***\n[   82.890906]\n[..... other info removed for brevity....]\r\n\r\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth0\r\n\r\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth1\r\n\r\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth0\r\n\r\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.(CVE-2024-27010)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: fix memleak in map from abort path\r\n\r\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\r\n\r\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\r\n\r\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS:  0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967]  <TASK>\n[ 6170.287973]  ? __warn+0x9f/0x1a0\n[ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092]  ? report_bug+0x1b1/0x1e0\n[ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092]  ? report_bug+0x1b1/0x1e0\n[ 6170.288104]  ? handle_bug+0x3c/0x70\n[ 6170.288112]  ? exc_invalid_op+0x17/0x40\n[ 6170.288120]  ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483]  nf_tables_trans_destroy_work+0x588/0x590 [nf_tables](CVE-2024-27011)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/rds: fix WARNING in rds_conn_connect_if_down\r\n\r\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().(CVE-2024-27024)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: spi-mt65xx: Fix NULL pointer access in interrupt handler\r\n\r\nThe TX buffer in spi_transfer can be a NULL pointer, so the interrupt\nhandler may end up writing to the invalid memory and cause crashes.\r\n\r\nAdd a check to trans->tx_buf before using it.(CVE-2024-27028)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: zynq: Prevent null pointer dereference caused by kmalloc failure\r\n\r\nThe kmalloc() in zynq_clk_setup() will return null if the\nphysical memory has run out. As a result, if we use snprintf()\nto write data to the null address, the null pointer dereference\nbug will happen.\r\n\r\nThis patch uses a stack variable to replace the kmalloc().(CVE-2024-27037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfp: flower: handle acti_netdevs allocation failure\r\n\r\nThe kmalloc_array() in nfp_fl_lag_do_work() will return null, if\nthe physical memory has run out. As a result, if we dereference\nthe acti_netdevs, the null pointer dereference bugs will happen.\r\n\r\nThis patch adds a check to judge whether allocation failure occurs.\nIf it happens, the delayed work will be rescheduled and try again.(CVE-2024-27046)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value\r\n\r\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return 0 in case of error.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27051)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: fix double module refcount decrement\r\n\r\nOnce the discipline is associated with the device, deleting the device\ntakes care of decrementing the module's refcount.  Doing it manually on\nthis error path causes refcount to artificially decrease on each error\nwhile it should just stay the same.(CVE-2024-27054)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\r\n\r\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\r\n\r\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).(CVE-2024-27059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnouveau: lock the client object tree.\r\n\r\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\r\n\r\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS:  00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555]  <TASK>\n[ 4562.099573]  ? die_addr+0x36/0x90\n[ 4562.099583]  ? exc_general_protection+0x246/0x4a0\n[ 4562.099593]  ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600]  ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730]  nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861]  nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986]  nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156]  ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163]  ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182]  ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189]  nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356]  __do_fault+0x32/0x150\n[ 4562.100362]  do_fault+0x7c/0x560\n[ 4562.100369]  __handle_mm_fault+0x800/0xc10\n[ 4562.100382]  handle_mm_fault+0x17c/0x3e0\n[ 4562.100388]  do_user_addr_fault+0x208/0x860\n[ 4562.100395]  exc_page_fault+0x7f/0x200\n[ 4562.100402]  asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446]  </TASK>\n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---(CVE-2024-27062)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: usbtv: Remove useless locks in usbtv_video_free()\r\n\r\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\r\n\r\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\r\n\r\n\n[hverkuil: fix minor spelling mistake in log message](CVE-2024-27072)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ttpci: fix two memleaks in budget_av_attach\r\n\r\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.(CVE-2024-27073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: avoid stack overflow warnings with clang\r\n\r\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\r\n\r\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\r\n\r\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.(CVE-2024-27075)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity\r\n\r\nThe entity->name (i.e. name) is allocated in v4l2_m2m_register_entity\nbut isn't freed in its following error-handling paths. This patch\nadds such deallocation to prevent memleak of entity->name.(CVE-2024-27077)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: v4l2-tpg: fix some memleaks in tpg_alloc\r\n\r\nIn tpg_alloc, resources should be deallocated in each and every\nerror-handling paths, since they are allocated in for statements.\nOtherwise there would be memleaks because tpg_free is called only when\ntpg_alloc return 0.(CVE-2024-27078)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: fix some memleaks in gssx_dec_option_array\r\n\r\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.(CVE-2024-27388)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_flow_offload: reset dst in route object after setting up flow\r\n\r\ndst is transferred to the flow object, route object does not own it\nanymore.  Reset dst in route object, otherwise if flow_offload_add()\nfails, error path releases dst twice, leading to a refcount underflow.(CVE-2024-27403)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Fix data-races around sysctl_net_busy_read\r\n\r\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.(CVE-2024-27419)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27426)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27427)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27428)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm snapshot: fix lockup in dm_exception_table_exit\r\n\r\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.(CVE-2024-35805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\r\n\r\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.(CVE-2024-35806)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\r\n\r\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.(CVE-2024-35815)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: fix a double-free in arfs_create_groups\r\n\r\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.(CVE-2024-35835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix infinite recursion in fib6_dump_done().\r\n\r\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\r\n\r\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\r\n\r\n  12:01:34 executing program 3:\n  r0 = socket$nl_route(0x10, 0x3, 0x0)\n  sendmsg$nl_route(r0, ... snip ...)\n  recvmmsg(r0, ... snip ...) (fail_nth: 8)\r\n\r\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\r\n\r\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\r\n\r\nTo avoid the issue, let's set the destructor after kzalloc().\r\n\r\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\r\n\r\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n </#DF>\n <TASK>\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---(CVE-2024-35886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\r\n\r\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.(CVE-2024-35898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbmon: prevent division by zero in fb_videomode_from_videomode()\r\n\r\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\r\n\r\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\r\n\r\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.(CVE-2024-35930)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\r\n\r\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\r\n\r\n- at first the search key is set up to look for a chunk tree item, with\n  offset -1, this is an inexact search and the key->offset will contain\n  the correct offset upon a successful search, a valid chunk tree item\n  cannot have an offset -1\r\n\r\n- after first successful search, the found_key corresponds to a chunk\n  item, the offset is decremented by 1 before the next loop, it's\n  impossible to find a chunk item there due to alignment and size\n  constraints(CVE-2024-35936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\r\n\r\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.(CVE-2024-35950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\r\n\r\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\r\n\r\nMake sure to validate setsockopt() @optlen parameter.\r\n\r\n[1]\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\r\n\r\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n </TASK>\r\n\r\nAllocated by task 7549:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3966 [inline]\n  __kmalloc+0x233/0x4a0 mm/slub.c:3979\n  kmalloc include/linux/slab.h:632 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\r\n\r\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n  set_page_owner include/linux/page_owner.h:31 [inline]\n  post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n  prep_new_page mm/page_alloc.c:\n---truncated---(CVE-2024-35976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\r\n\r\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\r\n\r\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\r\n\r\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\r\n\r\nDelete this unnecessary flag.(CVE-2024-35997)",
+    "cves": [
+      {
+        "id": "CVE-2023-52868",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2024-26960",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-35997",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1024": {
+    "id": "openEuler-SA-2024-1024",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1024",
+    "title": "An update for metadata-extractor2 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Metadata Extractor is a straightforward Java library for reading metadata from image files.\r\n\r\nSecurity Fix(es):\r\n\r\nmetadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24613)\r\n\r\nWhen reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24614)",
+    "cves": [
+      {
+        "id": "CVE-2022-24614",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24614",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1099": {
+    "id": "openEuler-SA-2024-1099",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1099",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1873": {
+    "id": "openEuler-SA-2023-1873",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1873",
+    "title": "An update for optipng is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "OptiPNG is a PNG optimizer that recompresses image files to a smaller size, without losing any information. This program also converts external formats (BMP, GIF, PNM and TIFF) to optimized PNG, and performs PNG integrity checks and corrections.\r\n\r\nSecurity Fix(es):\r\n\r\nOptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.(CVE-2023-43907)",
+    "cves": [
+      {
+        "id": "CVE-2023-43907",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43907",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1242": {
+    "id": "openEuler-SA-2023-1242",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1242",
+    "title": "An update for lua is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.(CVE-2021-45985)",
+    "cves": [
+      {
+        "id": "CVE-2021-45985",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2111": {
+    "id": "openEuler-SA-2022-2111",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2111",
+    "title": "An update for varnish is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nAn HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.(CVE-2022-45060)",
+    "cves": [
+      {
+        "id": "CVE-2022-45060",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45060",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1357": {
+    "id": "openEuler-SA-2024-1357",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1357",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: x86/mmu: Don't advance iterator after restart due to yielding\r\n\r\nAfter dropping mmu_lock in the TDP MMU, restart the iterator during\ntdp_iter_next() and do not advance the iterator.  Advancing the iterator\nresults in skipping the top-level SPTE and all its children, which is\nfatal if any of the skipped SPTEs were not visited before yielding.\r\n\r\nWhen zapping all SPTEs, i.e. when min_level == root_level, restarting the\niter and then invoking tdp_iter_next() is always fatal if the current gfn\nhas as a valid SPTE, as advancing the iterator results in try_step_side()\nskipping the current gfn, which wasn't visited before yielding.\r\n\r\nSprinkle WARNs on iter->yielded being true in various helpers that are\noften used in conjunction with yielding, and tag the helper with\n__must_check to reduce the probabily of improper usage.\r\n\r\nFailing to zap a top-level SPTE manifests in one of two ways.  If a valid\nSPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(),\nthe shadow page will be leaked and KVM will WARN accordingly.\r\n\r\n  WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm]\n  RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_arch_destroy_vm+0x130/0x1b0 [kvm]\n   kvm_destroy_vm+0x162/0x2a0 [kvm]\n   kvm_vcpu_release+0x34/0x60 [kvm]\n   __fput+0x82/0x240\n   task_work_run+0x5c/0x90\n   do_exit+0x364/0xa10\n   ? futex_unqueue+0x38/0x60\n   do_group_exit+0x33/0xa0\n   get_signal+0x155/0x850\n   arch_do_signal_or_restart+0xed/0x750\n   exit_to_user_mode_prepare+0xc5/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nIf kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by\nkvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of\nmarking a struct page as dirty/accessed after it has been put back on the\nfree list.  This directly triggers a WARN due to encountering a page with\npage_count() == 0, but it can also lead to data corruption and additional\nerrors in the kernel.\r\n\r\n  WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171\n  RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_set_pfn_dirty+0x120/0x1d0 [kvm]\n   __handle_changed_spte+0x92e/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   zap_gfn_range+0x549/0x620 [kvm]\n   kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm]\n   mmu_free_root_page+0x219/0x2c0 [kvm]\n   kvm_mmu_free_roots+0x1b4/0x4e0 [kvm]\n   kvm_mmu_unload+0x1c/0xa0 [kvm]\n   kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm]\n   kvm_put_kvm+0x3b1/0x8b0 [kvm]\n   kvm_vcpu_release+0x4e/0x70 [kvm]\n   __fput+0x1f7/0x8c0\n   task_work_run+0xf8/0x1a0\n   do_exit+0x97b/0x2230\n   do_group_exit+0xda/0x2a0\n   get_signal+0x3be/0x1e50\n   arch_do_signal_or_restart+0x244/0x17f0\n   exit_to_user_mode_prepare+0xcb/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x4d/0x90\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nNote, the underlying bug existed even before commit 1af4a96025b3 (\"KVM:\nx86/mmu: Yield in TDU MMU iter even if no SPTES changed\") moved calls to\ntdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still\nincorrectly advance past a top-level entry when yielding on a lower-level\nentry.  But with respect to leaking shadow pages, the bug was introduced\nby yielding before processing the current gfn.\r\n\r\nAlternatively, tdp_mmu_iter_cond_resched() could simply fall through, or\ncallers could jump to their \"retry\" label.  The downside of that approach\nis that tdp_mmu_iter_cond_resched() _must_ be called before anything else\nin the loop, and there's no easy way to enfornce that requirement.\r\n\r\nIdeally, KVM would handling the cond_resched() fully within the iterator\nmacro (the code is actually quite clean) and avoid this entire class of\nbugs, but that is extremely difficult do wh\n---truncated---(CVE-2021-47094)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\r\n\r\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\r\n\r\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\r\n\r\nnfc_llcp_sock_get_sn() has a similar problem.\r\n\r\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diNewExt\r\n\r\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n\r\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\r\n\r\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\r\n\r\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).(CVE-2023-52599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix uaf in jfs_evict_inode\r\n\r\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\r\n\r\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.(CVE-2023-52600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbAdjTree\r\n\r\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/(CVE-2023-52601)\r\n\r\nInteger Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.(CVE-2024-23307)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntomoyo: fix UAF write bug in tomoyo_write_control()\r\n\r\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held.  Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.(CVE-2024-26622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: call sock_orphan() at release time\r\n\r\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\r\n\r\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\r\n\r\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\r\n\r\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0xc4/0x620 mm/kasan/report.c:488\n  kasan_report+0xda/0x110 mm/kasan/report.c:601\n  list_empty include/linux/list.h:373 [inline]\n  waitqueue_active include/linux/wait.h:127 [inline]\n  sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n  sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n  skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n  skb_release_all net/core/skbuff.c:1092 [inline]\n  napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n  e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n  e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n  e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n  __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x956/0xe90 net/core/dev.c:6778\n  __do_softirq+0x21a/0x8de kernel/softirq.c:553\n  run_ksoftirqd kernel/softirq.c:921 [inline]\n  run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n  smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n  kthread+0x2c6/0x3a0 kernel/kthread.c:388\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\r\n\r\nAllocated by task 5167:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:314 [inline]\n  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3813 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n  alloc_inode_sb include/linux/fs.h:3019 [inline]\n  sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n  alloc_inode+0x5d/0x220 fs/inode.c:260\n  new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n  sock_alloc+0x40/0x270 net/socket.c:634\n  __sock_create+0xbc/0x800 net/socket.c:1535\n  sock_create net/socket.c:1622 [inline]\n  __sys_socket_create net/socket.c:1659 [inline]\n  __sys_socket+0x14c/0x260 net/socket.c:1706\n  __do_sys_socket net/socket.c:1720 [inline]\n  __se_sys_socket net/socket.c:1718 [inline]\n  __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFreed by task 0:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n  poison_slab_object mm/kasan/common.c:241 [inline]\n  __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2121 [inlin\n---truncated---(CVE-2024-26625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\r\n\r\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\r\n\r\nThis can be too heavy in case of recovery, such as:\r\n\r\n - N hardware queues\r\n\r\n - queue depth is M for each hardware queue\r\n\r\n - each scsi_host_busy() iterates over (N * M) tag/requests\r\n\r\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\r\n\r\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\r\n\r\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\r\n\r\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart](CVE-2024-26627)",
+    "cves": [
+      {
+        "id": "CVE-2024-26627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1089": {
+    "id": "openEuler-SA-2023-1089",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1089",
+    "title": "An update for tar is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.(CVE-2022-48303)",
+    "cves": [
+      {
+        "id": "CVE-2022-48303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1947": {
+    "id": "openEuler-SA-2023-1947",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1947",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.(CVE-2023-50269)",
+    "cves": [
+      {
+        "id": "CVE-2023-50269",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50269",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1032": {
+    "id": "openEuler-SA-2023-1032",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1032",
+    "title": "An update for jetty is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment.Jetty is available on all Java supported platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.(CVE-2022-2048)\r\n\r\nIn Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.(CVE-2022-2047)",
+    "cves": [
+      {
+        "id": "CVE-2022-2047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1299": {
+    "id": "openEuler-SA-2021-1299",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1299",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.(CVE-2021-30640)",
+    "cves": [
+      {
+        "id": "CVE-2021-30640",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30640",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1919": {
+    "id": "openEuler-SA-2022-1919",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1919",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX\nsystems.\r\n\r\nSecurity Fix(es):\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0389.(CVE-2022-3134)",
+    "cves": [
+      {
+        "id": "CVE-2022-3134",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3134",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1383": {
+    "id": "openEuler-SA-2024-1383",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1383",
+    "title": "An update for util-linux is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "The util-linux package contains a random collection of files that implements some low-level basic linux utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nwall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.(CVE-2024-28085)",
+    "cves": [
+      {
+        "id": "CVE-2024-28085",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1594": {
+    "id": "openEuler-SA-2024-1594",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1594",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nnscd: Stack-based buffer overflow in netgroup cache\r\n\r\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow.  This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\n(CVE-2024-33599)\r\n\r\nnscd: Null pointer crashes after notfound response\r\n\r\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference.  This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33600)\r\n\r\nnscd: netgroup cache may terminate daemon on memory allocation failure\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients.  The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33601)\r\n\r\nnscd: netgroup cache assumes NSS callback uses in-buffer strings\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33602)",
+    "cves": [
+      {
+        "id": "CVE-2024-33602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1135": {
+    "id": "openEuler-SA-2021-1135",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1135",
+    "title": "An update for hibernate is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Hibernate is a powerful, high-performance, feature-rich and very popular ORM solution for Java. Hibernate facilitates development of persistent objects based on the common Java object model to mirror the underlying database structure. This approach progresses the business performance to some extent, advances development efficiency exceedingly and obtains preferable economical efficiency and practicability.  Provides: hibernate-core = 5.0.10-6.oe1 Provides: hibernate-c3p0 = 5.0.10-6.oe1 Provides: hibernate-ehcache = 5.0.10-6.oe1 Provides: hibernate-entitymanager = 5.0.10-6.oe1 Provides: hibernate-envers = 5.0.10-6.oe1 Provides: hibernate-hikaricp = 5.0.10-6.oe1 Provides: hibernate-infinispan = 5.0.10-6.oe1 Provides: hibernate-java8 = 5.0.10-6.oe1 Provides: hibernate-osgi = 5.0.10-6.oe1 Provides: hibernate-parent = 5.0.10-6.oe1 Provides: hibernate-proxool = 5.0.10-6.oe1 Provides: hibernate-spatial = 5.0.10-6.oe1 Provides: hibernate-testing = 5.0.10-6.oe1 Provides: hibernate-javadoc = 5.0.10-6.oe1  Obsoletes: hibernate-core < 5.0.10-6.oe1 Obsoletes: hibernate-c3p0 < 5.0.10-6.oe1 Obsoletes: hibernate-ehcache < 5.0.10-6.oe1 Obsoletes: hibernate-entitymanager < 5.0.10-6.oe1 Obsoletes: hibernate-envers < 5.0.10-6.oe1 Obsoletes: hibernate-hikaricp < 5.0.10-6.oe1 Obsoletes: hibernate-infinispan < 5.0.10-6.oe1 Obsoletes: hibernate-java8 < 5.0.10-6.oe1 Obsoletes: hibernate-osgi < 5.0.10-6.oe1 Obsoletes: hibernate-parent < 5.0.10-6.oe1 Obsoletes: hibernate-proxool < 5.0.10-6.oe1 Obsoletes: hibernate-spatial < 5.0.10-6.oe1 Obsoletes: hibernate-testing < 5.0.10-6.oe1 Obsoletes: hibernate-javadoc < 5.0.10-6.oe1\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900)",
+    "cves": [
+      {
+        "id": "CVE-2019-14900",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14900",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1738": {
+    "id": "openEuler-SA-2024-1738",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1738",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server\r\n\r\nAFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and\nLinux's afs client switches between them when talking to a non-YFS server\nif the read size, the file position or the sum of the two have the upper 32\nbits set of the 64-bit value.\r\n\r\nThis is a problem, however, since the file position and length fields of\nFS.FetchData are *signed* 32-bit values.\r\n\r\nFix this by capturing the capability bits obtained from the fileserver when\nit's sent an FS.GetCapabilities RPC, rather than just discarding them, and\nthen picking out the VICED_CAPABILITY_64BITFILES flag.  This can then be\nused to decide whether to use FS.FetchData or FS.FetchData64 - and also\nFS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to\nswitch on the parameter values.\r\n\r\nThis capabilities flag could also be used to limit the maximum size of the\nfile, but all servers must be checked for that.\r\n\r\nNote that the issue does not exist with FS.StoreData - that uses *unsigned*\n32-bit values.  It's also not a problem with Auristor servers as its\nYFS.FetchData64 op uses unsigned 64-bit values.\r\n\r\nThis can be tested by cloning a git repo through an OpenAFS client to an\nOpenAFS server and then doing \"git status\" on it from a Linux afs\nclient[1].  Provided the clone has a pack file that's in the 2G-4G range,\nthe git status will show errors like:\r\n\r\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\r\n\r\nThis can be observed in the server's FileLog with something like the\nfollowing appearing:\r\n\r\nSun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001\nSun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866\n...\nSun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5\r\n\r\nNote the file position of 18446744071815340032.  This is the requested file\nposition sign-extended.(CVE-2021-47366)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: Fix possible access to freed memory in link clear\r\n\r\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\r\n\r\nHere is a crash example:\r\n\r\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S         OE     5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS:  0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <IRQ>\n  _raw_spin_lock_irqsave+0x30/0x40\n  mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n  smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n  tasklet_action_common.isra.21+0x66/0x100\n  __do_softirq+0xd5/0x29c\n  asm_call_irq_on_stack+0x12/0x20\n  </IRQ>\n  do_softirq_own_stack+0x37/0x40\n  irq_exit_rcu+0x9d/0xa0\n  sysvec_call_function_single+0x34/0x80\n  asm_sysvec_call_function_single+0x12/0x20(CVE-2022-48673)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\r\n\r\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue:  0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n <IRQ>\n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n </IRQ>(CVE-2022-48692)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrpmsg: virtio: Free driver_override when rpmsg_remove()\r\n\r\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\r\n\r\nunreferenced object 0xffff0000d55d7080 (size 128):\n  comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n  hex dump (first 32 bytes):\n    72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00  rpmsg_ns........\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n    [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n    [<00000000228a60c3>] kstrndup+0x4c/0x90\n    [<0000000077158695>] driver_set_override+0xd0/0x164\n    [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n    [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n    [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n    [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n    [<00000000443331cc>] really_probe+0xbc/0x2dc\n    [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n    [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n    [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n    [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n    [<000000003b929a36>] __device_attach+0x9c/0x19c\n    [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n    [<000000003c999637>] bus_probe_device+0xa0/0xac(CVE-2023-52670)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: avoid format-overflow warning\r\n\r\nWith gcc and W=1 option, there's a warning like this:\r\n\r\nfs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:\nfs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between\n1 and 7 bytes into a region of size between 5 and 8\n[-Werror=format-overflow=]\n 1984 |  sprintf(slab_name, \"f2fs_page_array_entry-%u:%u\", MAJOR(dev),\n\t\tMINOR(dev));\n      |                                               ^~\r\n\r\nString \"f2fs_page_array_entry-%u:%u\" can up to 35. The first \"%u\" can up\nto 4 and the second \"%u\" can up to 7, so total size is \"24 + 4 + 7 = 35\".\nslab_name's size should be 35 rather than 32.(CVE-2023-52748)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: core: Run atomic i2c xfer when !preemptible\r\n\r\nSince bae1d3a05a8b, i2c transfers are non-atomic if preemption is\ndisabled. However, non-atomic i2c transfers require preemption (e.g. in\nwait_for_completion() while waiting for the DMA).\r\n\r\npanic() calls preempt_disable_notrace() before calling\nemergency_restart(). Therefore, if an i2c device is used for the\nrestart, the xfer should be atomic. This avoids warnings like:\r\n\r\n[   12.667612] WARNING: CPU: 1 PID: 1 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x33c/0x6b0\n[   12.676926] Voluntary context switch within RCU read-side critical section!\n...\n[   12.742376]  schedule_timeout from wait_for_completion_timeout+0x90/0x114\n[   12.749179]  wait_for_completion_timeout from tegra_i2c_wait_completion+0x40/0x70\n...\n[   12.994527]  atomic_notifier_call_chain from machine_restart+0x34/0x58\n[   13.001050]  machine_restart from panic+0x2a8/0x32c\r\n\r\nUse !preemptible() instead, which is basically the same check as\npre-v5.2.(CVE-2023-52791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panel: fix a possible null pointer dereference\r\n\r\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2023-52821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: vidtv: mux: Add check and kfree for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.(CVE-2023-52841)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52873)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\r\n\r\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.(CVE-2023-52882)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: do not free live element\r\n\r\nPablo reports a crash with large batches of elements with a\nback-to-back add/remove pattern.  Quoting Pablo:\r\n\r\n  add_elem(\"00000000\") timeout 100 ms\n  ...\n  add_elem(\"0000000X\") timeout 100 ms\n  del_elem(\"0000000X\") <---------------- delete one that was just added\n  ...\n  add_elem(\"00005000\") timeout 100 ms\r\n\r\n  1) nft_pipapo_remove() removes element 0000000X\n  Then, KASAN shows a splat.\r\n\r\nLooking at the remove function there is a chance that we will drop a\nrule that maps to a non-deactivated element.\r\n\r\nRemoval happens in two steps, first we do a lookup for key k and return the\nto-be-removed element and mark it as inactive in the next generation.\nThen, in a second step, the element gets removed from the set/map.\r\n\r\nThe _remove function does not work correctly if we have more than one\nelement that share the same key.\r\n\r\nThis can happen if we insert an element into a set when the set already\nholds an element with same key, but the element mapping to the existing\nkey has timed out or is not active in the next generation.\r\n\r\nIn such case its possible that removal will unmap the wrong element.\nIf this happens, we will leak the non-deactivated element, it becomes\nunreachable.\r\n\r\nThe element that got deactivated (and will be freed later) will\nremain reachable in the set data structure, this can result in\na crash when such an element is retrieved during lookup (stale\npointer).\r\n\r\nAdd a check that the fully matching key does in fact map to the element\nthat we have marked as inactive in the deactivation step.\nIf not, we need to continue searching.\r\n\r\nAdd a bug/warn trap at the end of the function as well, the remove\nfunction must not ever be called with an invisible/unreachable/non-existent\nelement.\r\n\r\nv2: avoid uneeded temporary variable (Stefano)(CVE-2024-26924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix unremoved procfs host directory regression\r\n\r\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\r\n\r\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\r\n\r\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\r\n\r\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\r\n\r\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\r\n\r\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.(CVE-2024-26935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\r\n\r\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.(CVE-2024-26936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\r\n\r\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\r\n\r\n node   0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node   0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is：0xc0900000, 0x100000\r\n\r\nthe crash backtrace like:\r\n\r\n  Unable to handle kernel paging request at virtual address bff00000\n  [...]\n  CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10.0 #1\n  Hardware name: Generic DT based system\n  PC is at b15_flush_kern_dcache_area+0x24/0x3c\n  LR is at __sync_icache_dcache+0x6c/0x98\n  [...]\n   (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n   (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n   (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n   (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n   (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n   (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n   (__do_mmap_mm) from (do_mmap+0x50/0x58)\n   (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n   (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n   (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n  Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n  ---[ end trace 09cf0734c3805d52 ]---\n  Kernel panic - not syncing: Fatal exception\r\n\r\nSo check if PG_reserved was set to solve this issue.\r\n\r\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/(CVE-2024-26947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\r\n\r\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().(CVE-2024-26954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: swap: fix race between free_swap_and_cache() and swapoff()\r\n\r\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\r\n\r\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\r\n\r\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\r\n\r\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\r\n\r\n--8<-----\r\n\r\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\r\n\r\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\r\n\r\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\r\n\r\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\r\n\r\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\r\n\r\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\r\n\r\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\r\n\r\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\r\n\r\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\r\n\r\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\r\n\r\n--8<-----(CVE-2024-26960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Prevent deadlock while disabling aRFS\r\n\r\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\r\n\r\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\r\n\r\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\r\n\r\nKernel log:\r\n\r\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G          I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\r\n\r\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n       __mutex_lock+0x80/0xc90\n       arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n       process_one_work+0x1dc/0x4a0\n       worker_thread+0x1bf/0x3c0\n       kthread+0xd7/0x100\n       ret_from_fork+0x2d/0x50\n       ret_from_fork_asm+0x11/0x20\r\n\r\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n       __lock_acquire+0x17b4/0x2c80\n       lock_acquire+0xd0/0x2b0\n       __flush_work+0x7a/0x4e0\n       __cancel_work_timer+0x131/0x1c0\n       arfs_del_rules+0x143/0x1e0 [mlx5_core]\n       mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n       mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n       ethnl_set_channels+0x28f/0x3b0\n       ethnl_default_set_doit+0xec/0x240\n       genl_family_rcv_msg_doit+0xd0/0x120\n       genl_rcv_msg+0x188/0x2c0\n       netlink_rcv_skb+0x54/0x100\n       genl_rcv+0x24/0x40\n       netlink_unicast+0x1a1/0x270\n       netlink_sendmsg+0x214/0x460\n       __sock_sendmsg+0x38/0x60\n       __sys_sendto+0x113/0x170\n       __x64_sys_sendto+0x20/0x30\n       do_syscall_64+0x40/0xe0\n       entry_SYSCALL_64_after_hwframe+0x46/0x4e\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n       CPU0                    CPU1\n       ----                    ----\n  lock(&priv->state_lock);\n                               lock((work_completion)(&rule->arfs_work));\n                               lock(&priv->state_lock);\n  lock((work_completion)(&rule->arfs_work));\r\n\r\n *** DEADLOCK ***\r\n\r\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G          I        6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---(CVE-2024-27014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\r\n\r\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\r\n\r\nBased on patch from Florian Westphal.(CVE-2024-27017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\r\n\r\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.(CVE-2024-27019)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\r\n\r\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)(CVE-2024-27044)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ll_temac: platform_get_resource replaced by wrong function\r\n\r\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\r\n\r\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\r\n\r\n\tif (type == resource_type(r) && !strcmp(r->name, name))\r\n\r\nIt should have been replaced with devm_platform_ioremap_resource.(CVE-2024-35796)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\r\n\r\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\r\n\r\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.(CVE-2024-35819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: Set page uptodate in the correct place\r\n\r\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data.  Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.(CVE-2024-35821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\r\n\r\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().(CVE-2024-35828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix UAF in smb2_reconnect_server()\r\n\r\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses().  This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\r\n\r\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\r\n\r\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\r\n\r\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-35870)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\r\n\r\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\r\n\r\n      (Thread 1)          |      (Thread 2)\n                          | ax25_ds_timeout()\nax25_dev_device_down()    |\n  ax25_ds_del_timer()     |\n    del_timer()           |\n  ax25_dev_put() //FREE   |\n                          |  ax25_dev-> //USE\r\n\r\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.(CVE-2024-35887)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: properly terminate timers for kernel sockets\r\n\r\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\r\n\r\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\r\n\r\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\r\n\r\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\r\n\r\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\r\n\r\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\r\n\r\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\r\n\r\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\r\n\r\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\r\n\r\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.(CVE-2024-35910)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\r\n\r\nsyzbot reported the following uninit-value access issue [1][2]:\r\n\r\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\r\n\r\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.(CVE-2024-35915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vc4: don't check if plane->state->fb == state->fb\r\n\r\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\r\n\r\n[  110.908514] ------------[ cut here ]------------\n[  110.908529] refcount_t: underflow; use-after-free.\n[  110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[  110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[  110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G         C         6.1.66-v8+ #32\n[  110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[  110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[  110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[  110.909170] sp : ffffffc00913b9c0\n[  110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[  110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[  110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[  110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[  110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[  110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[  110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[  110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[  110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[  110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[  110.909434] Call trace:\n[  110.909441]  refcount_dec_not_one+0xb8/0xc0\n[  110.909461]  vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[  110.909903]  vc4_cleanup_fb+0x44/0x50 [vc4]\n[  110.910315]  drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[  110.910669]  vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[  110.911079]  commit_tail+0xb0/0x164 [drm_kms_helper]\n[  110.911397]  drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[  110.911716]  drm_atomic_commit+0xb0/0xdc [drm]\n[  110.912569]  drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[  110.913330]  drm_ioctl_kernel+0xec/0x15c [drm]\n[  110.914091]  drm_ioctl+0x24c/0x3b0 [drm]\n[  110.914850]  __arm64_sys_ioctl+0x9c/0xd4\n[  110.914873]  invoke_syscall+0x4c/0x114\n[  110.914897]  el0_svc_common+0xd0/0x118\n[  110.914917]  do_el0_svc+0x38/0xd0\n[  110.914936]  el0_svc+0x30/0x8c\n[  110.914958]  el0t_64_sync_handler+0x84/0xf0\n[  110.914979]  el0t_64_sync+0x18c/0x190\n[  110.914996] ---[ end trace 0000000000000000 ]---\r\n\r\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\r\n\r\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---(CVE-2024-35932)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\r\n\r\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.(CVE-2024-35935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: check A-MSDU format more carefully\r\n\r\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.(CVE-2024-35937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\r\n\r\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\r\n\r\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.(CVE-2024-35951)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix not validating setsockopt user input\r\n\r\nCheck user input length before copying data.(CVE-2024-35965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: RFCOMM: Fix not validating setsockopt user input\r\n\r\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\r\n\r\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064(CVE-2024-35966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\r\n\r\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n  Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n  Reason: Neither gsm->state nor gsm->len have been reset after\n  reconfiguration.\r\n\r\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\r\n\r\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.(CVE-2024-36016)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\r\n\r\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\r\n\r\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\r\n\r\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\r\n\r\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\r\n\r\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\r\n\r\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\r\n\r\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\r\n\r\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001(CVE-2024-36905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-iocost: avoid out of bounds shift\r\n\r\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\r\n\r\n[  186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S          E    N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\r\n\r\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\r\n\r\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.(CVE-2024-36916)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\r\n\r\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\r\n\r\nThis will suppress following BUG_ON():\r\n\r\n[  449.843143] ------------[ cut here ]------------\n[  449.848302] kernel BUG at mm/vmalloc.c:2727!\n[  449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[  449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[  449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[  449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[  449.882910] RIP: 0010:vunmap+0x2e/0x30\n[  449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[  449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[  449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[  449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[  449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[  449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[  449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[  449.953701] FS:  0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[  449.962732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[  449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  449.993028] Call Trace:\n[  449.995756]  __iommu_dma_free+0x96/0x100\n[  450.000139]  bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[  450.006171]  bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[  450.011910]  bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[  450.018136]  fc_rport_work+0x103/0x5b0 [libfc]\n[  450.023103]  process_one_work+0x1e8/0x3c0\n[  450.027581]  worker_thread+0x50/0x3b0\n[  450.031669]  ? rescuer_thread+0x370/0x370\n[  450.036143]  kthread+0x149/0x170\n[  450.039744]  ? set_kthread_struct+0x40/0x40\n[  450.044411]  ret_from_fork+0x22/0x30\n[  450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[  450.048497]  libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[  450.159753] ---[ end trace 712de2c57c64abc8 ]---(CVE-2024-36919)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\r\n\r\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric.  This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\r\n\r\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject.  This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\r\n\r\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vmwgfx: Fix invalid reads in fence signaled events\r\n\r\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\r\n\r\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.(CVE-2024-36960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\r\n\r\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\r\n\r\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\r\n\r\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G        W          6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---(CVE-2024-36968)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix __dst_negative_advice() race\r\n\r\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\r\n\r\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\r\n\r\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\r\n\r\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\r\n\r\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\r\n\r\nMany thanks to Clement Lecigne for tracking this issue.\r\n\r\nThis old bug became visible after the blamed commit, using UDP sockets.(CVE-2024-36971)",
+    "cves": [
+      {
+        "id": "CVE-2024-26960",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36971",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1063": {
+    "id": "openEuler-SA-2024-1063",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1063",
+    "title": "An update for sqlite is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.(CVE-2023-7104)",
+    "cves": [
+      {
+        "id": "CVE-2023-7104",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7104",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1189": {
+    "id": "openEuler-SA-2024-1189",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1189",
+    "title": "An update for varnish is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1731": {
+    "id": "openEuler-SA-2023-1731",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1731",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-42753)",
+    "cves": [
+      {
+        "id": "CVE-2023-42753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1475": {
+    "id": "openEuler-SA-2021-1475",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1475",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.(CVE-2021-4002)\r\n\r\nIn unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References: Upstream kernel(CVE-2021-0920)\r\n\r\nA vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.(CVE-2021-4037)\r\n\r\nA race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.(CVE-2021-20321)\r\n\r\nIn __configfs_open_file of file.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174049066References: Upstream kernel(CVE-2021-39656)\r\n\r\nIn gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-160822094References: Upstream kernel(CVE-2021-39648)\r\n\r\nThe issue reported to the Linux security team allowed one to read and/or write up to 65kB of kernel memory past buffer boundaries by exploiting lack of limiting of the usb control transfer request wLength in certain gadget functions.(CVE-2021-39685)\r\n\r\npep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.(CVE-2021-45095)\r\n\r\nA vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.(CVE-2021-4149)\n\nIn the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.(CVE-2020-25211)",
+    "cves": [
+      {
+        "id": "CVE-2020-25211",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25211",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1726": {
+    "id": "openEuler-SA-2022-1726",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1726",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.(CVE-2022-24769)",
+    "cves": [
+      {
+        "id": "CVE-2022-24769",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24769",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1762": {
+    "id": "openEuler-SA-2022-1762",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1762",
+    "title": "An update for gdk-pixbuf2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "gdk is written in C but has been designed from the ground up to support a wide range of languages. It provide a complete set of widgets,and suitable for projects ranging from small one-off tools to complete application suites.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20240)\r\n\r\nGNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.(CVE-2020-29385)",
+    "cves": [
+      {
+        "id": "CVE-2020-29385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29385",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1917": {
+    "id": "openEuler-SA-2023-1917",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1917",
+    "title": "An update for varnish is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.(CVE-2022-45059)",
+    "cves": [
+      {
+        "id": "CVE-2022-45059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1533": {
+    "id": "openEuler-SA-2022-1533",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1533",
+    "title": "An update for cfitsio is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Library for manipulating FITS data files.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3849)\r\n\r\nIn the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3848)",
+    "cves": [
+      {
+        "id": "CVE-2018-3848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3848",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1139": {
+    "id": "openEuler-SA-2024-1139",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1139",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1434": {
+    "id": "openEuler-SA-2021-1434",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1434",
+    "title": "An update for gfbgraph is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GLib/GObject wrapper for the Facebook Graph API.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.(CVE-2021-39358)",
+    "cves": [
+      {
+        "id": "CVE-2021-39358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39358",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1353": {
+    "id": "openEuler-SA-2021-1353",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1353",
+    "title": "An update for gd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. The most common applications of GD involve website development, although it can be used with any standalone application!\r\n\r\nSecurity Fix(es):\r\n\r\nThe GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.(CVE-2021-40812)",
+    "cves": [
+      {
+        "id": "CVE-2021-40812",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40812",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1812": {
+    "id": "openEuler-SA-2022-1812",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1812",
+    "title": "An update for gdm is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The GNOME Display Manager is a system service that is responsible for providing graphical log-ins and managing local and remote displays, and if the session doesn't provide a display server, GDM will start the display server. It also provides initiate functionality for user-switching, so multiple users can be logged in at the same time.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.(CVE-2020-27837)",
+    "cves": [
+      {
+        "id": "CVE-2020-27837",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27837",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1341": {
+    "id": "openEuler-SA-2023-1341",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1341",
+    "title": "An update for python-requests is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Requests is an HTTP library, written in Python, as an alternative to Python's builtin urllib2 which requires work (even method overrides) to perform basic tasks. Features of Requests:  - GET, HEAD, POST, PUT, DELETE Requests:    + HTTP Header Request Attachment. + Data/Params Request Attachment. + Multipart File Uploads. + CookieJar Support. + Redirection History. + Redirection Recursion Urllib Fix. + Automatic Decompression of GZipped Content. + Unicode URL Support.- Authentication: + URL + HTTP Auth Registry.\r\n\r\nSecurity Fix(es):\r\n\r\nRequests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\r\n\r\n(CVE-2023-32681)",
+    "cves": [
+      {
+        "id": "CVE-2023-32681",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1766": {
+    "id": "openEuler-SA-2023-1766",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1766",
+    "title": "An update for opensc is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-40660: opensc: PIN bypass when card tracks its own login state(CVE-2023-40660)",
+    "cves": [
+      {
+        "id": "CVE-2023-40660",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40660",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1988": {
+    "id": "openEuler-SA-2022-1988",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1988",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nInsufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.(CVE-2019-11098)",
+    "cves": [
+      {
+        "id": "CVE-2019-11098",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11098",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1866": {
+    "id": "openEuler-SA-2023-1866",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1866",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.(CVE-2023-45661)\r\n\r\nstb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.(CVE-2023-45664)",
+    "cves": [
+      {
+        "id": "CVE-2023-45664",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45664",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1627": {
+    "id": "openEuler-SA-2023-1627",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1627",
+    "title": "An update for rubygem-railties is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Rails internals: application bootup, plugins, generators, and rake tasks. Railties is responsible to glue all frameworks together. Overall, it: * handles all the bootstrapping process for a Rails application; * manages rails command line interface; * provides Rails generators core;\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2023-38037)",
+    "cves": [
+      {
+        "id": "CVE-2023-38037",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38037",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1201": {
+    "id": "openEuler-SA-2024-1201",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1201",
+    "title": "An update for rust is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1952": {
+    "id": "openEuler-SA-2023-1952",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1952",
+    "title": "An update for nodejs-tough-cookie is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": ".\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.(CVE-2023-26136)",
+    "cves": [
+      {
+        "id": "CVE-2023-26136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1639": {
+    "id": "openEuler-SA-2022-1639",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1639",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light and Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\nOpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.(CVE-2021-45942)",
+    "cves": [
+      {
+        "id": "CVE-2021-45942",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45942",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1776": {
+    "id": "openEuler-SA-2024-1776",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1776",
+    "title": "An update for rubygem-actionview is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Simple, battle-tested conventions and helpers for building web pages.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Rails. rails-ujs may allow an attacker to perform Cross-Site Scripting (XSS), which could lead to stolen information, phishing attacks, and other types of attacks.(CVE-2023-23913)",
+    "cves": [
+      {
+        "id": "CVE-2023-23913",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23913",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1741": {
+    "id": "openEuler-SA-2022-1741",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1741",
+    "title": "An update for swtpm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "TPM emulator built on libtpms providing TPM functionality for QEMU VMs\r\n\r\nSecurity Fix(es):\r\n\r\n** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2020-28407)",
+    "cves": [
+      {
+        "id": "CVE-2020-28407",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28407",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1905": {
+    "id": "openEuler-SA-2022-1905",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1905",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Samba, GnuTLS gnutls_rnd() can fail and give predictable random values.(CVE-2022-1615)",
+    "cves": [
+      {
+        "id": "CVE-2022-1615",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1615",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1243": {
+    "id": "openEuler-SA-2024-1243",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1243",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nA race condition was found in the Linux kernel's sound/hda  device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n(CVE-2024-23196)",
+    "cves": [
+      {
+        "id": "CVE-2024-23196",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1101": {
+    "id": "openEuler-SA-2024-1101",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1101",
+    "title": "An update for apache-sshd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1262": {
+    "id": "openEuler-SA-2024-1262",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1262",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_image is a single file MIT licensed library for processing images.  It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed(CVE-2023-45666)\r\n\r\nstb_image is a single file MIT licensed library for processing images.\r\n\r\nIf `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.(CVE-2023-45667)",
+    "cves": [
+      {
+        "id": "CVE-2023-45667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45667",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1338": {
+    "id": "openEuler-SA-2023-1338",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1338",
+    "title": "An update for cpio is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "GNU cpio copies files into or out of a cpio or tar archive. The archive can be another file on the disk, a magnetic tape, or a pipe.\r\n\r\nSecurity Fix(es):\r\n\r\ncpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.(CVE-2015-1197)",
+    "cves": [
+      {
+        "id": "CVE-2015-1197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1197",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2030": {
+    "id": "openEuler-SA-2022-2030",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2030",
+    "title": "An update for libtasn1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Libtasn1 is the ASN.1 library used by GnuTLS, p11-kit and some other packages.The goal of this implementation is to be highly portable, and only require an ANSI C99 platform.This library provides Abstract Syntax Notation One (ASN.1,as specified by the X.680 ITU-T recommendation) parsing and structures management,and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding functions.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.(CVE-2021-46848)",
+    "cves": [
+      {
+        "id": "CVE-2021-46848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1169": {
+    "id": "openEuler-SA-2024-1169",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1169",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1782": {
+    "id": "openEuler-SA-2022-1782",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1782",
+    "title": "An update for jackson-databind is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.(CVE-2019-17531)",
+    "cves": [
+      {
+        "id": "CVE-2019-17531",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1636": {
+    "id": "openEuler-SA-2024-1636",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1636",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21087)",
+    "cves": [
+      {
+        "id": "CVE-2024-21087",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21087",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1715": {
+    "id": "openEuler-SA-2024-1715",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1715",
+    "title": "An update for libarchive is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "is an open-source BSD-licensed C programming library that  provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution  also includes bsdtar and bsdcpio, full-featured implementations of  tar and cpio that use .\r\n\r\nSecurity Fix(es):\r\n\r\nWindows Libarchive Remote Code Execution Vulnerability(CVE-2024-20696)",
+    "cves": [
+      {
+        "id": "CVE-2024-20696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20696",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1933": {
+    "id": "openEuler-SA-2023-1933",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1933",
+    "title": "An update for fish is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "fish is a fully-equipped command line shell (like bash or zsh) that is smart and user-friendly. fish supports powerful features like syntax highlighting, autosuggestions, and tab completions that just work, with nothing to learn or configure.\r\n\r\nSecurity Fix(es):\r\n\r\nfish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \\UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49284)",
+    "cves": [
+      {
+        "id": "CVE-2023-49284",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49284",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1518": {
+    "id": "openEuler-SA-2022-1518",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1518",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nIn archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (Falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196.(CVE-2021-39293)",
+    "cves": [
+      {
+        "id": "CVE-2021-39293",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39293",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1512": {
+    "id": "openEuler-SA-2024-1512",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1512",
+    "title": "An update for mod_security is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279)",
+    "cves": [
+      {
+        "id": "CVE-2022-48279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1174": {
+    "id": "openEuler-SA-2021-1174",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1174",
+    "title": "An update for nodejs-underscore is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.(CVE-2021-23358)",
+    "cves": [
+      {
+        "id": "CVE-2021-23358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1345": {
+    "id": "openEuler-SA-2021-1345",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1345",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.\n\nGit is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\ngit_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.(CVE-2021-40330)",
+    "cves": [
+      {
+        "id": "CVE-2021-40330",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40330",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1058": {
+    "id": "openEuler-SA-2023-1058",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1058",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nIf Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.(CVE-2022-42252)",
+    "cves": [
+      {
+        "id": "CVE-2022-42252",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42252",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1644": {
+    "id": "openEuler-SA-2024-1644",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1644",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n(CVE-2024-28180)",
+    "cves": [
+      {
+        "id": "CVE-2024-28180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1400": {
+    "id": "openEuler-SA-2024-1400",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1400",
+    "title": "An update for nodejs-qs is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.\r\n\r\nSecurity Fix(es):\r\n\r\nqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).(CVE-2022-24999)",
+    "cves": [
+      {
+        "id": "CVE-2022-24999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1832": {
+    "id": "openEuler-SA-2023-1832",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1832",
+    "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nVMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-34058)\r\n\r\nopen-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the \n/dev/uinput file descriptor allowing them to simulate user inputs.(CVE-2023-34059)",
+    "cves": [
+      {
+        "id": "CVE-2023-34059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1206": {
+    "id": "openEuler-SA-2023-1206",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1206",
+    "title": "An update for glib2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\n\nglib: DoS caused by malicious serialised variant(CVE-2023-25180)\r\n\r\n\nglib: DoS caused by handling a malicious text-form variant(CVE-2023-24593)",
+    "cves": [
+      {
+        "id": "CVE-2023-24593",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24593",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1774": {
+    "id": "openEuler-SA-2022-1774",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1774",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nThere are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.(CVE-2022-2318)\r\n\r\nAn issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.(CVE-2022-34918)\r\n\r\nArm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.(CVE-2022-33744)\r\n\r\nLinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).(CVE-2022-26365)\r\n\r\nLinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).(CVE-2022-33740)\r\n\r\nLinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).(CVE-2022-33741)\r\n\r\nLinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).(CVE-2022-33742)\r\n\r\nnetwork backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.(CVE-2022-33743)\n\nWhen setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.(CVE-2021-33656)",
+    "cves": [
+      {
+        "id": "CVE-2021-33656",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33656",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1190": {
+    "id": "openEuler-SA-2021-1190",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1190",
+    "title": "An update for python-jinja2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important.\r\n\r\nSecurity Fix(es):\r\n\r\nThis affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.(CVE-2020-28493)",
+    "cves": [
+      {
+        "id": "CVE-2020-28493",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28493",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1447": {
+    "id": "openEuler-SA-2021-1447",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1447",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free in Busybox s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.(CVE-2021-42386)\r\n\r\nA NULL pointer dereference in Busybox s hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.(CVE-2021-42376)",
+    "cves": [
+      {
+        "id": "CVE-2021-42376",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42376",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1672": {
+    "id": "openEuler-SA-2023-1672",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1672",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nSide-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.(CVE-2020-16012)\r\n\r\n(CVE-2020-26951)\r\n\r\n(CVE-2020-26953)\r\n\r\n(CVE-2020-26956)\r\n\r\n(CVE-2020-26958)\r\n\r\n(CVE-2020-26959)\r\n\r\n(CVE-2020-26960)\r\n\r\n(CVE-2020-26961)\r\n\r\n(CVE-2020-26965)",
+    "cves": [
+      {
+        "id": "CVE-2020-26965",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26965",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1534": {
+    "id": "openEuler-SA-2022-1534",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1534",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1.(CVE-2022-0487)\r\n\r\nA random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.(CVE-2022-0330)",
+    "cves": [
+      {
+        "id": "CVE-2022-0330",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0330",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1876": {
+    "id": "openEuler-SA-2022-1876",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1876",
+    "title": "An update for sqlite is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained,high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was found in fts5UnicodeTokenize() in ext/fts5/fts5_tokenize.c in Sqlite. A unicode61 tokenizer configured to treat unicode \"control-characters\" (class Cc), was treating embedded nul characters as tokens. The issue was fixed in sqlite-3.34.0 and later.(CVE-2021-20223)",
+    "cves": [
+      {
+        "id": "CVE-2021-20223",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20223",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1926": {
+    "id": "openEuler-SA-2022-1926",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1926",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow was found in the Linux kernel s LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.(CVE-2022-2991)\n\nA vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().(CVE-2020-27784)\n\nAn issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.(CVE-2022-39189)\n\nFound Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn t check the value of pixclock , so it may cause a divide by zero error.(CVE-2022-3061)\n\nAn issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.(CVE-2022-2663)\n\nAn issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.(CVE-2022-39842)\n\nAn issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.(CVE-2022-39188)",
+    "cves": [
+      {
+        "id": "CVE-2022-39188",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1626": {
+    "id": "openEuler-SA-2024-1626",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1626",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\r\n\r\n(CVE-2024-3177)",
+    "cves": [
+      {
+        "id": "CVE-2024-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1362": {
+    "id": "openEuler-SA-2023-1362",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1362",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.(CVE-2022-48502)",
+    "cves": [
+      {
+        "id": "CVE-2022-48502",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1109": {
+    "id": "openEuler-SA-2021-1109",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1109",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.(CVE-2021-20231)\r\n\r\nA flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.(CVE-2021-20232)",
+    "cves": [
+      {
+        "id": "CVE-2021-20232",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20232",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1615": {
+    "id": "openEuler-SA-2024-1615",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1615",
+    "title": "An update for fdupes is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FDUPES is a program for identifying duplicate files residing within specified directories.\r\n\r\nSecurity Fix(es):\r\n\r\nIn deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.(CVE-2022-48682)",
+    "cves": [
+      {
+        "id": "CVE-2022-48682",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48682",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1929": {
+    "id": "openEuler-SA-2022-1929",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1929",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.(CVE-2021-39226)\r\n\r\nGrafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.(CVE-2021-43813)",
+    "cves": [
+      {
+        "id": "CVE-2021-43813",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43813",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1572": {
+    "id": "openEuler-SA-2022-1572",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1572",
+    "title": "An update for polkit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned(CVE-2021-4115)",
+    "cves": [
+      {
+        "id": "CVE-2021-4115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1681": {
+    "id": "openEuler-SA-2024-1681",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1681",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume\r\n\r\nIn current code, when a PCI error state pci_channel_io_normal is detectd,\nit will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI\ndriver will continue the execution of PCI resume callback report_resume by\npci_walk_bridge, and the callback will go into amdgpu_pci_resume\nfinally, where write lock is releasd unconditionally without acquiring\nsuch lock first. In this case, a deadlock will happen when other threads\nstart to acquire the read lock.\r\n\r\nTo fix this, add a member in amdgpu_device strucutre to cache\npci_channel_state, and only continue the execution in amdgpu_pci_resume\nwhen it's pci_channel_io_frozen.(CVE-2021-47421)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nptp: Fix possible memory leak in ptp_clock_register()\r\n\r\nI got memory leak as follows when doing fault injection test:\r\n\r\nunreferenced object 0xffff88800906c618 (size 8):\n  comm \"i2c-idt82p33931\", pid 4421, jiffies 4294948083 (age 13.188s)\n  hex dump (first 8 bytes):\n    70 74 70 30 00 00 00 00                          ptp0....\n  backtrace:\n    [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0\n    [<0000000079f6e2ff>] kvasprintf+0xb5/0x150\n    [<0000000026aae54f>] kvasprintf_const+0x60/0x190\n    [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150\n    [<000000004e35abdd>] dev_set_name+0xc0/0x100\n    [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]\n    [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]\r\n\r\nWhen posix_clock_register() returns an error, the name allocated\nin dev_set_name() will be leaked, the put_device() should be used\nto give up the device reference, then the name will be freed in\nkobject_cleanup() and other memory will be freed in ptp_clock_release().(CVE-2021-47455)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: single: fix potential NULL dereference\r\n\r\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2022-48708)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\r\n\r\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.(CVE-2023-52650)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: drop any code related to SCM_RIGHTS\r\n\r\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.(CVE-2023-52656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: eliminate double free in error handling logic\r\n\r\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\r\n\r\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\r\n\r\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.(CVE-2023-52664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: LPIT: Avoid u32 multiplication overflow\r\n\r\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\r\n\r\nChange multiplication to mul_u32_u32().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52683)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncalipso: fix memory leak in netlbl_calipso_add_pass()\r\n\r\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n  comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n  hex dump (first 32 bytes):\n    00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<...>] kmalloc include/linux/slab.h:552 [inline]\n    [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n    [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n    [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n    [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n    [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n    [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n    [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n    [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n    [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n    [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n    [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n    [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n    [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n    [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n    [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n    [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n    [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\r\n\r\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\r\n\r\n[PM: merged via the LSM tree at Jakub Kicinski request](CVE-2023-52698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add validity check for db_maxag and db_agpref\r\n\r\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\r\n\r\nThe following is related bug reported by Syzbot:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\r\n\r\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.(CVE-2023-52804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\r\n\r\nWe found a hungtask bug in test_aead_vec_cfg as follows:\r\n\r\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\r\n\r\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\r\n\r\nThe problem comes as following:\n(padata_do_parallel)                 |\n    rcu_read_lock_bh();              |\n    err = -EINVAL;                   |   (padata_replace)\n                                     |     pinst->flags |= PADATA_RESET;\n    err = -EBUSY                     |\n    if (pinst->flags & PADATA_RESET) |\n        rcu_read_unlock_bh()         |\n        return err\r\n\r\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\r\n\r\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.(CVE-2023-52813)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\r\n\r\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\r\n\r\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636]  <TASK>\n[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002]  full_proxy_read+0x5c/0x80\n[4005007.703011]  vfs_read+0x9f/0x1a0\n[4005007.703019]  ksys_read+0x67/0xe0\n[4005007.703023]  __x64_sys_read+0x19/0x20\n[4005007.703028]  do_syscall_64+0x5c/0xc0\n[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052]  ? irqentry_exit+0x19/0x30\n[4005007.703057]  ? exc_page_fault+0x89/0x160\n[4005007.703062]  ? asm_exc_page_fault+0x8/0x30\n[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105]  </TASK>\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---(CVE-2023-52817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/core: Bail out early if the request AUX area is out of bound\r\n\r\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)\r\n\r\nand it reveals a WARNING with __alloc_pages():\r\n\r\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\r\n\r\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\r\n\r\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)(CVE-2023-52835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnbd: fix uaf in nbd_open\r\n\r\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\r\n\r\nFix this by implementing ->free_disk and free private data in it.(CVE-2023-52837)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: vidtv: psi: Add check for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.(CVE-2023-52844)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process\r\n\r\nWhen tearing down a 'hisi_hns3' PMU, we mistakenly run the CPU hotplug\ncallbacks after the device has been unregistered, leading to fireworks\nwhen we try to execute empty function callbacks within the driver:\r\n\r\n  | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n  | CPU: 0 PID: 15 Comm: cpuhp/0 Tainted: G        W  O      5.12.0-rc4+ #1\n  | Hardware name:  , BIOS KpxxxFPGA 1P B600 V143 04/22/2021\n  | pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n  | pc : perf_pmu_migrate_context+0x98/0x38c\n  | lr : perf_pmu_migrate_context+0x94/0x38c\n  |\n  | Call trace:\n  |  perf_pmu_migrate_context+0x98/0x38c\n  |  hisi_hns3_pmu_offline_cpu+0x104/0x12c [hisi_hns3_pmu]\r\n\r\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been unregistered.\r\n\r\n[will: Rewrote commit message](CVE-2023-52860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: possible buffer overflow\r\n\r\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.(CVE-2023-52867)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Have trace_event_file have ref counters\r\n\r\nThe following can crash the kernel:\r\n\r\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\r\n\r\nThe above commands:\r\n\r\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\r\n\r\nThe above causes a crash!\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\r\n\r\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\r\n\r\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\r\n\r\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.(CVE-2023-52879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\r\n\r\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\r\n\r\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\r\n\r\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\r\n\r\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.(CVE-2024-26787)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Avoid potential use-after-free in hci_error_reset\r\n\r\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\r\n\r\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\r\n\r\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.(CVE-2024-26801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/fsl-mc: Block calling interrupt handler without trigger\r\n\r\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1.  The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger.  The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\r\n\r\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.(CVE-2024-26814)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\r\n\r\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\r\n\r\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...(CVE-2024-26881)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix garbage collector racing against connect()\r\n\r\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\r\n\r\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\r\n\r\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\r\n\r\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\r\n\r\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\r\n\r\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\r\n\r\n\t\t\tclose(V)\r\n\r\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\r\n\r\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\r\n\r\n\t\t\t\t\t\t// gc_candidates={L, V}\r\n\r\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\r\n\r\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\r\n\r\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\r\n\r\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.(CVE-2024-26923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwireguard: netlink: access device through ctx instead of peer\r\n\r\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.(CVE-2024-26950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: fix UAF in direct writes\r\n\r\nIn production we have been hitting the following warning consistently\r\n\r\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\r\n\r\nThis is because we're completing the nfs_direct_request twice in a row.\r\n\r\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\r\n\r\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\r\n\r\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\r\n\r\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\r\n\r\nnfs_commit_begin();\nnfs_commit_end();\r\n\r\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\r\n\r\nFix this by using the same pattern for the commit requests.\r\n\r\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.(CVE-2024-26958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\r\n\r\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\r\n\r\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\r\n\r\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\r\n\r\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2024-26961)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\r\n\r\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\r\n\r\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\r\n\r\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\r\n\r\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\r\n\r\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\r\n\r\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\r\n\r\n        __kvm_vcpu_wake_up(vcpu);\r\n\r\n        mmput(mm);\r\n\r\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\r\n\r\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\r\n\r\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---(CVE-2024-26976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSquashfs: check the inode number is not the invalid value of zero\r\n\r\nSyskiller has produced an out of bounds access in fill_meta_index().\r\n\r\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\r\n\r\nThe reason this causes the out of bounds access is due to following\nsequence of events:\r\n\r\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\r\n\r\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn't been, an out of bounds access is performed.\r\n\r\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\r\n\r\n[phillip@squashfs.org.uk: whitespace fix]\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk(CVE-2024-26982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\r\n\r\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path.  If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called).  As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\r\n\r\nFix the leak by adding an explicit kobject_put() call when kn is NULL.(CVE-2024-26993)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: mxs-auart: add spinlock around changing cts state\r\n\r\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\r\n\r\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)(CVE-2024-27000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: nv04: Fix out of bounds access\r\n\r\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\r\n\r\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\r\n\r\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10(CVE-2024-27045)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\r\n\r\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\r\n\r\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).(CVE-2024-27059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ttpci: fix two memleaks in budget_av_attach\r\n\r\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.(CVE-2024-27073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: avoid stack overflow warnings with clang\r\n\r\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\r\n\r\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\r\n\r\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.(CVE-2024-27075)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: inode: Only d_invalidate() is needed\r\n\r\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\r\n\r\n  WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\r\n\r\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\r\n\r\n---(CVE-2024-27389)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Fixed overflow check in mi_enum_attr()(CVE-2024-27407)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Fix data-races around sysctl_net_busy_read\r\n\r\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.(CVE-2024-27419)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27426)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27427)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\r\n\r\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\r\n\r\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated.  I.e. the\nregion structure itself would be fine, but region->pages could be freed.\r\n\r\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.(CVE-2024-35791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.(CVE-2024-35801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm snapshot: fix lockup in dm_exception_table_exit\r\n\r\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.(CVE-2024-35805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\r\n\r\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.(CVE-2024-35806)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nLoongArch: Define the __io_aw() hook as mmiowb()\r\n\r\nCommit fb24ea52f78e0d595852e (\"drivers: Remove explicit invocations of\nmmiowb()\") remove all mmiowb() in drivers, but it says:\r\n\r\n\"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with\nspin_unlock(). However, pairing each mmiowb() removal in this patch with\nthe corresponding call to spin_unlock() is not at all trivial, so there\nis a small chance that this change may regress any drivers incorrectly\nrelying on mmiowb() to order MMIO writes between CPUs using lock-free\nsynchronisation.\"\r\n\r\nThe mmio in radeon_ring_commit() is protected by a mutex rather than a\nspinlock, but in the mutex fastpath it behaves similar to spinlock. We\ncan add mmiowb() calls in the radeon driver but the maintainer says he\ndoesn't like such a workaround, and radeon is not the only example of\nmutex protected mmio.\r\n\r\nSo we should extend the mmiowb tracking system from spinlock to mutex,\nand maybe other locking primitives. This is not easy and error prone, so\nwe solve it in the architectural code, by simply defining the __io_aw()\nhook as mmiowb(). And we no longer need to override queued_spin_unlock()\nso use the generic definition.\r\n\r\nWithout this, we get such an error when run 'glxgears' on weak ordering\narchitectures such as LoongArch:\r\n\r\nradeon 0000:04:00.0: ring 0 stalled for more than 10324msec\nradeon 0000:04:00.0: ring 3 stalled for more than 10240msec\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)(CVE-2024-35818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: fix a double-free in arfs_create_groups\r\n\r\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.(CVE-2024-35835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix reserve_cblocks counting error when out of space\r\n\r\nWhen a file only needs one direct_node, performing the following\noperations will cause the file to be unrepairable:\r\n\r\nunisoc # ./f2fs_io compress test.apk\nunisoc #df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.2M 100% /data\r\n\r\nunisoc # ./f2fs_io release_cblocks test.apk\n924\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 4.8M 100% /data\r\n\r\nunisoc # dd if=/dev/random of=file4 bs=1M count=3\n3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\r\n\r\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\r\n\r\nadb reboot\nunisoc # df -h  | grep dm-48\n/dev/block/dm-48             112G 112G   11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n0\r\n\r\nThis is because the file has only one direct_node. After returning\nto -ENOSPC, reserved_blocks += ret will not be executed. As a result,\nthe reserved_blocks at this time is still 0, which is not the real\nnumber of reserved blocks. Therefore, fsck cannot be set to repair\nthe file.\r\n\r\nAfter this patch, the fsck flag will be set to fix this problem.\r\n\r\nunisoc # df -h | grep dm-48\n/dev/block/dm-48             112G 112G  1.8M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\r\n\r\nadb reboot then fsck will be executed\nunisoc # df -h  | grep dm-48\n/dev/block/dm-48             112G 112G   11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n924(CVE-2024-35844)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\r\n\r\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.(CVE-2024-35898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbmon: prevent division by zero in fb_videomode_from_videomode()\r\n\r\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\r\n\r\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\r\n\r\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.(CVE-2024-35930)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\r\n\r\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\r\n\r\n- at first the search key is set up to look for a chunk tree item, with\n  offset -1, this is an inexact search and the key->offset will contain\n  the correct offset upon a successful search, a valid chunk tree item\n  cannot have an offset -1\r\n\r\n- after first successful search, the found_key corresponds to a chunk\n  item, the offset is decremented by 1 before the next loop, it's\n  impossible to find a chunk item there due to alignment and size\n  constraints(CVE-2024-35936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/zone: Add a null pointer check to the psz_kmsg_read\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2024-35940)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\r\n\r\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\r\n\r\nMake sure to validate setsockopt() @optlen parameter.\r\n\r\n[1]\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\r\n\r\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n </TASK>\r\n\r\nAllocated by task 7549:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3966 [inline]\n  __kmalloc+0x233/0x4a0 mm/slub.c:3979\n  kmalloc include/linux/slab.h:632 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\r\n\r\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n  set_page_owner include/linux/page_owner.h:31 [inline]\n  post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n  prep_new_page mm/page_alloc.c:\n---truncated---(CVE-2024-35976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\r\n\r\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\r\n\r\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\r\n\r\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\r\n\r\nDelete this unnecessary flag.(CVE-2024-35997)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\r\n\r\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\r\n\r\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\r\n\r\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-36006)",
+    "cves": [
+      {
+        "id": "CVE-2024-35801",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36006",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1482": {
+    "id": "openEuler-SA-2022-1482",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1482",
+    "title": "An update for python-lxml is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "XML processing library combining libxml2/libxslt with the ElementTree API.\r\n\r\nSecurity Fix(es):\r\n\r\nlxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.(CVE-2021-43818)",
+    "cves": [
+      {
+        "id": "CVE-2021-43818",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43818",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1414": {
+    "id": "openEuler-SA-2024-1414",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1414",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.(CVE-2022-2309)",
+    "cves": [
+      {
+        "id": "CVE-2022-2309",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2309",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1811": {
+    "id": "openEuler-SA-2024-1811",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1811",
+    "title": "An update for rust is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nCargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes \"ok\" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write \"ok\" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain.\nMitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.(CVE-2022-36113)\r\n\r\nCargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a \"zip bomb\"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.(CVE-2022-36114)",
+    "cves": [
+      {
+        "id": "CVE-2022-36114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1446": {
+    "id": "openEuler-SA-2024-1446",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1446",
+    "title": "An update for LibRaw is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.(CVE-2021-32142)",
+    "cves": [
+      {
+        "id": "CVE-2021-32142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1595": {
+    "id": "openEuler-SA-2023-1595",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1595",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064)",
+    "cves": [
+      {
+        "id": "CVE-2022-48064",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1877": {
+    "id": "openEuler-SA-2022-1877",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1877",
+    "title": "An update for sqlite is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained,high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was found in fts5UnicodeTokenize() in ext/fts5/fts5_tokenize.c in Sqlite. A unicode61 tokenizer configured to treat unicode \"control-characters\" (class Cc), was treating embedded nul characters as tokens. The issue was fixed in sqlite-3.34.0 and later.(CVE-2021-20223)",
+    "cves": [
+      {
+        "id": "CVE-2021-20223",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20223",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1865": {
+    "id": "openEuler-SA-2022-1865",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1865",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Over-read in GitHub repository vim/vim prior to 9.0.0218.(CVE-2022-2845)",
+    "cves": [
+      {
+        "id": "CVE-2022-2845",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1750": {
+    "id": "openEuler-SA-2024-1750",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1750",
+    "title": "An update for python-lxml is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. \\ It is unique in that it combines the speed and XML feature completeness of these libraries with \\ the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. \\ The latest release works with all CPython versions from 2.7 to 3.7.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.(CVE-2024-37388)",
+    "cves": [
+      {
+        "id": "CVE-2024-37388",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37388",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1111": {
+    "id": "openEuler-SA-2024-1111",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1111",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343)\r\n\r\nIn the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.(CVE-2024-22705)",
+    "cves": [
+      {
+        "id": "CVE-2024-22705",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1357": {
+    "id": "openEuler-SA-2023-1357",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1357",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\n\nSecurity Fix(es):\n\nc-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n(CVE-2023-31130)\n\nc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)",
+    "cves": [
+      {
+        "id": "CVE-2023-31147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1317": {
+    "id": "openEuler-SA-2024-1317",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1317",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36764)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45230)\r\n\r\n EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45232)\r\n\r\n EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45233)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when\r\n\r\n\r\n\r\n\r\n\r\nhandling Server ID option \r\n\r\n\r\n\r\n from a DHCPv6 proxy Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45235)",
+    "cves": [
+      {
+        "id": "CVE-2023-45235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1625": {
+    "id": "openEuler-SA-2023-1625",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1625",
+    "title": "An update for libtommath is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "LibTomMath is a free open source portable number theoretic multiple-precision integer library written entirely in C.  The library is designed to provide a simple to work with API that provides fairly efficient routines that build out of the box without configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).(CVE-2023-36328)",
+    "cves": [
+      {
+        "id": "CVE-2023-36328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36328",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1982": {
+    "id": "openEuler-SA-2023-1982",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1982",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.(CVE-2021-41136)",
+    "cves": [
+      {
+        "id": "CVE-2021-41136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1156": {
+    "id": "openEuler-SA-2021-1156",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1156",
+    "title": "An update for libdb is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Oracle Berkeley DB provides the best open source embeddable databases allowing developers the choice of SQL, Key/Value, XML/XQuery or Java  Object storage for their data model. At its core is a fast, scalable,  transactional database engine with proven reliability and availability.  Berkeley DB comes three versions: Berkeley DB, Berkeley DB Java  Edition, and Berkeley DB XML.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Data Store component of Oracle Berkeley DB. Supported versions that are affected are Prior to 6.138, prior to 6.2.38 and prior to 18.1.32. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Data Store executes to compromise Data Store. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Data Store. CVSS 3.0 Base Score 3.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2708)",
+    "cves": [
+      {
+        "id": "CVE-2019-2708",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2708",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1319": {
+    "id": "openEuler-SA-2021-1319",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1319",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system. \r\n\r\nSecurity Fix(es):\r\n\r\nAn exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.(CVE-2020-13529)",
+    "cves": [
+      {
+        "id": "CVE-2020-13529",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13529",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2106": {
+    "id": "openEuler-SA-2022-2106",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2106",
+    "title": "An update for protobuf is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data. You can find protobuf's documentation on the Google Developers site.\r\n\r\nSecurity Fix(es):\r\n\r\nNullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.(CVE-2021-22570)",
+    "cves": [
+      {
+        "id": "CVE-2021-22570",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1086": {
+    "id": "openEuler-SA-2021-1086",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1086",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.(CVE-2020-28374)\r\n\r\nAn issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.(CVE-2020-29568)\r\n\r\nIn the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-119770583(CVE-2020-27068)\r\n\r\nA flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786)\r\n\r\nAn issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.(CVE-2021-3347)\r\n\r\nnbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.(CVE-2021-3348)\n\nIn binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0423)\n\nmwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\nInsufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-8694)\n\nIBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. (CVE-2020-4788)\n\nAn issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089)\n\nIn various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0465)\n\nIn do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0466)\n\nA flaw was found in the Linux kernel futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14381)\n\nThe Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.(CVE-2020-25220)\n\nIn kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0431)\n\nIn cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0305)\n\nIn audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0444)\n\nIn tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. User interaction is not required for exploitation.(CVE-2021-0342)\n\nA flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system.(CVE-2021-20177)\n\nfs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.(CVE-2021-3178)",
+    "cves": [
+      {
+        "id": "CVE-2021-3178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3178",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1389": {
+    "id": "openEuler-SA-2021-1389",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1389",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.(CVE-2021-21705)\r\n\r\nIn PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.(CVE-2021-21704)",
+    "cves": [
+      {
+        "id": "CVE-2021-21704",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21704",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1523": {
+    "id": "openEuler-SA-2024-1523",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1523",
+    "title": "An update for atril is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)",
+    "cves": [
+      {
+        "id": "CVE-2023-51698",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1319": {
+    "id": "openEuler-SA-2023-1319",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1319",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices,and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols.It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\r\n\r\nSecurity Fix(es):\r\n\r\nVMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2856)",
+    "cves": [
+      {
+        "id": "CVE-2023-2856",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2856",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1204": {
+    "id": "openEuler-SA-2024-1204",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1204",
+    "title": "An update for rust is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1326": {
+    "id": "openEuler-SA-2023-1326",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1326",
+    "title": "An update for hdf5 is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka \"Invalid write of size 2.\"(CVE-2019-8396)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in the function H5F__accum_read in H5Faccum.c.(CVE-2018-13867)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_layout_decode in H5Olayout.c, related to HDmemcpy.(CVE-2018-14033)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_sdspace_decode in H5Osdspace.c.(CVE-2018-14460)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer over-read exists in the function H5O__layout_decode() located in H5Olayout.c. It allows an attacker to cause Denial of Service.(CVE-2020-10811)\r\n\r\nBuffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.(CVE-2021-37501)",
+    "cves": [
+      {
+        "id": "CVE-2021-37501",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37501",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1073": {
+    "id": "openEuler-SA-2023-1073",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1073",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\natm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23455)\r\n\r\ncbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23454)\n\nA NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.(CVE-2023-0394)",
+    "cves": [
+      {
+        "id": "CVE-2023-0394",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0394",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1715": {
+    "id": "openEuler-SA-2022-1715",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1715",
+    "title": "An update for ceph is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\r\n\r\nAn authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20288)",
+    "cves": [
+      {
+        "id": "CVE-2021-20288",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20288",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1875": {
+    "id": "openEuler-SA-2024-1875",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1875",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\r\n\r\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\r\n\r\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
+    "cves": [
+      {
+        "id": "CVE-2024-32230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1182": {
+    "id": "openEuler-SA-2023-1182",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1182",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw found in the Linux Kernel. The missing check causes a type confusion when issuing a list_entry()\non an empty report_list. The problem is caused by the assumption that the device must have valid report_list. While this will be true for all normal HID devices, a suitably malicious device can violate the assumption.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456\nhttps://www.openwall.com/lists/oss-security/2023/01/17/3(CVE-2023-1073)\r\n\r\nIn nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.(CVE-2023-1095)",
+    "cves": [
+      {
+        "id": "CVE-2023-1095",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1095",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1812": {
+    "id": "openEuler-SA-2024-1812",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1812",
+    "title": "An update for rust is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nCargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes \"ok\" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write \"ok\" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain.\nMitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.(CVE-2022-36113)\r\n\r\nCargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a \"zip bomb\"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.(CVE-2022-36114)",
+    "cves": [
+      {
+        "id": "CVE-2022-36114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1640": {
+    "id": "openEuler-SA-2022-1640",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1640",
+    "title": "An update for opensc is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards.Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\nSecurity Fix(es):\nHeap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.(CVE-2021-42781)",
+    "cves": [
+      {
+        "id": "CVE-2021-42781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42781",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1900": {
+    "id": "openEuler-SA-2022-1900",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1900",
+    "title": "An update for pacemaker is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Pacemaker is an advanced, scalable High-Availability cluster resource manager.\r\n\r\nSecurity Fix(es):\r\n\r\nAn ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.(CVE-2020-25654)",
+    "cves": [
+      {
+        "id": "CVE-2020-25654",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25654",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2126": {
+    "id": "openEuler-SA-2022-2126",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2126",
+    "title": "An update for libarchive is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "is an open-source BSD-licensed C programming library that  provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution  also includes bsdtar and bsdcpio, full-featured implementations of  tar and cpio that use .\r\n\r\nSecurity Fix(es):\r\n\r\nIn libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"(CVE-2022-36227)",
+    "cves": [
+      {
+        "id": "CVE-2022-36227",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1740": {
+    "id": "openEuler-SA-2024-1740",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1740",
+    "title": "An update for busybox is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.(CVE-2023-42363)\r\n\r\nA use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.(CVE-2023-42364)\r\n\r\nA use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.(CVE-2023-42365)\r\n\r\nA heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.(CVE-2023-42366)",
+    "cves": [
+      {
+        "id": "CVE-2023-42366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1168": {
+    "id": "openEuler-SA-2023-1168",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1168",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.(CVE-2023-1170)\r\n\r\nIncorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.(CVE-2023-1175)",
+    "cves": [
+      {
+        "id": "CVE-2023-1175",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1175",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1482": {
+    "id": "openEuler-SA-2023-1482",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1482",
+    "title": "An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "PCRE2 is a re-working of the original PCRE1 library to provide an entirely new API.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.(CVE-2022-41409)",
+    "cves": [
+      {
+        "id": "CVE-2022-41409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2120": {
+    "id": "openEuler-SA-2022-2120",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2120",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. This issue has been addressed in version 2.9.0. There are no known workarounds for this issue.(CVE-2022-39317)\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP may attempt integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.(CVE-2022-39320)",
+    "cves": [
+      {
+        "id": "CVE-2022-39320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39320",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2031": {
+    "id": "openEuler-SA-2022-2031",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2031",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.(CVE-2022-3567)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.(CVE-2022-3649)\n\nA flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.(CVE-2022-3586)",
+    "cves": [
+      {
+        "id": "CVE-2022-3586",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1077": {
+    "id": "openEuler-SA-2023-1077",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1077",
+    "title": "An update for lxc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nlxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because \"Failed to open\" often indicates that a file does not exist, whereas \"does not refer to a network namespace path\" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that \"we will report back to the user that the open() failed but the user has no way of knowing why it failed\"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.(CVE-2022-47952)",
+    "cves": [
+      {
+        "id": "CVE-2022-47952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47952",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1767": {
+    "id": "openEuler-SA-2023-1767",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1767",
+    "title": "An update for opensc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-40660: opensc: PIN bypass when card tracks its own login state(CVE-2023-40660)",
+    "cves": [
+      {
+        "id": "CVE-2023-40660",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40660",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2133": {
+    "id": "openEuler-SA-2022-2133",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2133",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.(CVE-2022-45934)\n\nThere are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker tocrash linux kernel by simulating slip network card from user-space of linux.[Root cause]When a slip driver is detaching, the slip_close() will act tocleanup necessary resources and sl->tty is set to NULL inslip_close(). Meanwhile, the packet we transmit is blocked,sl_tx_timeout() will be called. Although slip_close() andsl_tx_timeout() use sl->lock to synchronize, we don`t judgewhether sl-> tty equals to NULL in sl_tx_timeout() and thenull pointer dereference bug will happen.(Thread 1) | (Thread 2)| slip_close()| spin_lock_bh(& sl-> lock) sl-> tty = NULL //(1)sl_tx_timeout() | spin_unlock_bh(& sl->lock)spin_lock(& sl-> lock);tty_chars_in_buffer(sl-> tty)|if (tty-> ops-> ..) //(2)synchronize_rcu()We set NULL to sl-> tty in position (1) and dereference sl-> ttyin position (2).(CVE-2022-41858)\n\nA use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.(CVE-2022-4095)",
+    "cves": [
+      {
+        "id": "CVE-2022-4095",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4095",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1473": {
+    "id": "openEuler-SA-2023-1473",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1473",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.(CVE-2023-0664)\r\n\r\nA flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.(CVE-2023-2861)",
+    "cves": [
+      {
+        "id": "CVE-2023-2861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1201": {
+    "id": "openEuler-SA-2021-1201",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1201",
+    "title": "An update for hadoop is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache Hadoop is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.(CVE-2020-9492)",
+    "cves": [
+      {
+        "id": "CVE-2020-9492",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9492",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1524": {
+    "id": "openEuler-SA-2024-1524",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1524",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ncreate_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.(CVE-2024-25739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: sii902x: Fix probing race issue\r\n\r\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\r\n\r\n[   53.271356]  sii902x_get_edid+0x34/0x70 [sii902x]\n[   53.276066]  sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[   53.281381]  drm_bridge_get_edid+0x20/0x34 [drm]\n[   53.286305]  drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[   53.292955]  drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[   53.300510]  drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[   53.305958]  __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[   53.313611]  drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[   53.320039]  drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[   53.326401]  drm_client_register+0x5c/0xa0 [drm]\n[   53.331216]  drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[   53.336881]  tidss_probe+0x128/0x264 [tidss]\n[   53.341174]  platform_probe+0x68/0xc4\n[   53.344841]  really_probe+0x188/0x3c4\n[   53.348501]  __driver_probe_device+0x7c/0x16c\n[   53.352854]  driver_probe_device+0x3c/0x10c\n[   53.357033]  __device_attach_driver+0xbc/0x158\n[   53.361472]  bus_for_each_drv+0x88/0xe8\n[   53.365303]  __device_attach+0xa0/0x1b4\n[   53.369135]  device_initial_probe+0x14/0x20\n[   53.373314]  bus_probe_device+0xb0/0xb4\n[   53.377145]  deferred_probe_work_func+0xcc/0x124\n[   53.381757]  process_one_work+0x1f0/0x518\n[   53.385770]  worker_thread+0x1e8/0x3dc\n[   53.389519]  kthread+0x11c/0x120\n[   53.392750]  ret_from_fork+0x10/0x20\r\n\r\nThe issue here is as follows:\r\n\r\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n  DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n  platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n  deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n  called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n  However, the sii902x driver has not set up the i2c part yet, leading\n  to the crash.\r\n\r\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().(CVE-2024-26607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: make sure init the accept_queue's spinlocks once\r\n\r\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS:  00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n<IRQ>\n  _raw_spin_unlock (kernel/locking/spinlock.c:186)\n  inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n  inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n  tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n  tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n  __netif_receive_skb_one_core (net/core/dev.c:5529)\n  process_backlog (./include/linux/rcupdate.h:779)\n  __napi_poll (net/core/dev.c:6533)\n  net_rx_action (net/core/dev.c:6604)\n  __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n  do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n  __local_bh_enable_ip (kernel/softirq.c:381)\n  __dev_queue_xmit (net/core/dev.c:4374)\n  ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n  __ip_queue_xmit (net/ipv4/ip_output.c:535)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n  tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n  tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n  __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n  release_sock (net/core/sock.c:3536)\n  inet_wait_for_connect (net/ipv4/af_inet.c:609)\n  __inet_stream_connect (net/ipv4/af_inet.c:702)\n  inet_stream_connect (net/ipv4/af_inet.c:748)\n  __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n  __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n  do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n  RIP: 0033:0x7fa10ff05a3d\n  Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n  c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n  RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n  RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n  RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n  RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n  R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n</TASK>\r\n\r\nThe issue triggering process is analyzed as follows:\nThread A                                       Thread B\ntcp_v4_rcv\t//receive ack TCP packet       inet_shutdown\n  tcp_check_req                                  tcp_disconnect //disconnect sock\n  ...                                              tcp_set_state(sk, TCP_CLOSE)\n    inet_csk_complete_hashdance                ...\n      inet_csk_reqsk_queue_add         \n---truncated---(CVE-2024-26614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\r\n\r\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\r\n\r\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\r\n\r\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\r\n\r\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\r\n\r\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\r\n\r\nCall trace:\n[  654.559417] task:modprobe        state:D stack:    0 pid: 2321 ppid:  1091 flags:0x00004002\n[  654.568030] Call Trace:\n[  654.571221]  <TASK>\n[  654.573790]  __schedule+0x2d6/0x960\n[  654.577733]  schedule+0x69/0xf0\n[  654.581214]  schedule_timeout+0x87/0x140\n[  654.585463]  ? __bpf_trace_tick_stop+0x20/0x20\n[  654.590291]  msleep+0x2d/0x40\n[  654.593625]  napi_disable+0x2b/0x80\n[  654.597437]  netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[  654.603935]  rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[  654.611101]  ? do_wait_intr+0xb0/0xb0\n[  654.615753]  netvsc_remove+0x7c/0x120 [hv_netvsc]\n[  654.621675]  vmbus_remove+0x27/0x40 [hv_vmbus](CVE-2024-26698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Increase buffer size in afs_update_volume_status()\r\n\r\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()](CVE-2024-26736)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn't use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac->ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fsl-qdma: init irq after reg initialization\r\n\r\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\r\n\r\n  Call trace:\n   fsl_qdma_queue_handler+0xf8/0x3e8\n   __handle_irq_event_percpu+0x78/0x2b0\n   handle_irq_event_percpu+0x1c/0x68\n   handle_irq_event+0x44/0x78\n   handle_fasteoi_irq+0xc8/0x178\n   generic_handle_irq+0x24/0x38\n   __handle_domain_irq+0x90/0x100\n   gic_handle_irq+0x5c/0xb8\n   el1_irq+0xb8/0x180\n   _raw_spin_unlock_irqrestore+0x14/0x40\n   __setup_irq+0x4bc/0x798\n   request_threaded_irq+0xd8/0x190\n   devm_request_threaded_irq+0x74/0xe8\n   fsl_qdma_probe+0x4d4/0xca8\n   platform_drv_probe+0x50/0xa0\n   really_probe+0xe0/0x3f8\n   driver_probe_device+0x64/0x130\n   device_driver_attach+0x6c/0x78\n   __driver_attach+0xbc/0x158\n   bus_for_each_dev+0x5c/0x98\n   driver_attach+0x20/0x28\n   bus_add_driver+0x158/0x220\n   driver_register+0x60/0x110\n   __platform_driver_register+0x44/0x50\n   fsl_qdma_driver_init+0x18/0x20\n   do_one_initcall+0x48/0x258\n   kernel_init_freeable+0x1a4/0x23c\n   kernel_init+0x10/0xf8\n   ret_from_fork+0x10/0x18(CVE-2024-26788)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix stackmap overflow check on 32-bit arches\r\n\r\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\r\n\r\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.(CVE-2024-26883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\r\n\r\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\r\n\r\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.(CVE-2024-26885)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)",
+    "cves": [
+      {
+        "id": "CVE-2024-27437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1117": {
+    "id": "openEuler-SA-2021-1117",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1117",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nThe fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.(CVE-2021-25329)\r\n\r\nWhen responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.(CVE-2021-25122)",
+    "cves": [
+      {
+        "id": "CVE-2021-25122",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25122",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1599": {
+    "id": "openEuler-SA-2022-1599",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1599",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB.\n\nSecurity Fix(es):\n\nGrafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.(CVE-2022-21702)",
+    "cves": [
+      {
+        "id": "CVE-2022-21702",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21702",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1049": {
+    "id": "openEuler-SA-2024-1049",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1049",
+    "title": "An update for libsass is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Libsass is a Sass CSS precompiler which is ported for C/C++. This version is more efficient and portable than the original Ruby version. Keeping light and sample is its degisn philosophy which makes it more easier to be built and integrated with a immense amount of platforms and languages. Installation of saccs is needed if you want to run is directly as libsass is just a library.\r\n\r\nSecurity Fix(es):\r\n\r\nStack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function.(CVE-2022-26592)\r\n\r\nStack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.(CVE-2022-43357)\r\n\r\nStack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).(CVE-2022-43358)",
+    "cves": [
+      {
+        "id": "CVE-2022-43358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1113": {
+    "id": "openEuler-SA-2021-1113",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1113",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2024)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2036)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2056)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2021)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).(CVE-2021-2046)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2038)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2061)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2070)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2002)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2081)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2072)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2031)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2122)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-2048)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2088)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2058)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2076)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2065)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2087)\r\n\r\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Client accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Client. CVSS 3.1 Base Score 4.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L).(CVE-2021-2010)\r\n\r\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2011)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2060)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2022)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-2032)",
+    "cves": [
+      {
+        "id": "CVE-2021-2032",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2032",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1330": {
+    "id": "openEuler-SA-2023-1330",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1330",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157)",
+    "cves": [
+      {
+        "id": "CVE-2023-2157",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1862": {
+    "id": "openEuler-SA-2022-1862",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1862",
+    "title": "An update for tcpdump is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces.  Tcpdump can display all of the packet headers, or just the ones that match particular criteria.\r\n\r\nSecurity Fix(es):\r\n\r\nThe command-line argument parser in tcpdump before 4.99.0 has a buffer overflow in tcpdump.c:read_infile(). To trigger this vulnerability the attacker needs to create a 4GB file on the local filesystem and to specify the file name as the value of the -F command-line argument of tcpdump.(CVE-2018-16301)",
+    "cves": [
+      {
+        "id": "CVE-2018-16301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16301",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1880": {
+    "id": "openEuler-SA-2024-1880",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1880",
+    "title": "An update for mongo-c-driver is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents.\r\n\r\nSecurity Fix(es):\r\n\r\nThe bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1(CVE-2024-6383)",
+    "cves": [
+      {
+        "id": "CVE-2024-6383",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6383",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1191": {
+    "id": "openEuler-SA-2024-1191",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1191",
+    "title": "An update for mod_auth_openidc is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24814)",
+    "cves": [
+      {
+        "id": "CVE-2024-24814",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24814",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1662": {
+    "id": "openEuler-SA-2022-1662",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1662",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\nSecurity Fix(es):\n\nA flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.(CVE-2021-4206)\n\nA flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values cursor->header.width and cursor->header.height can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.(CVE-2021-4207)\n\nA NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-20196)\n\nA flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.(CVE-2022-26353)\n\nA flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.(CVE-2022-26354)",
+    "cves": [
+      {
+        "id": "CVE-2022-26354",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26354",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1356": {
+    "id": "openEuler-SA-2024-1356",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1356",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: x86/mmu: Don't advance iterator after restart due to yielding\r\n\r\nAfter dropping mmu_lock in the TDP MMU, restart the iterator during\ntdp_iter_next() and do not advance the iterator.  Advancing the iterator\nresults in skipping the top-level SPTE and all its children, which is\nfatal if any of the skipped SPTEs were not visited before yielding.\r\n\r\nWhen zapping all SPTEs, i.e. when min_level == root_level, restarting the\niter and then invoking tdp_iter_next() is always fatal if the current gfn\nhas as a valid SPTE, as advancing the iterator results in try_step_side()\nskipping the current gfn, which wasn't visited before yielding.\r\n\r\nSprinkle WARNs on iter->yielded being true in various helpers that are\noften used in conjunction with yielding, and tag the helper with\n__must_check to reduce the probabily of improper usage.\r\n\r\nFailing to zap a top-level SPTE manifests in one of two ways.  If a valid\nSPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(),\nthe shadow page will be leaked and KVM will WARN accordingly.\r\n\r\n  WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm]\n  RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_arch_destroy_vm+0x130/0x1b0 [kvm]\n   kvm_destroy_vm+0x162/0x2a0 [kvm]\n   kvm_vcpu_release+0x34/0x60 [kvm]\n   __fput+0x82/0x240\n   task_work_run+0x5c/0x90\n   do_exit+0x364/0xa10\n   ? futex_unqueue+0x38/0x60\n   do_group_exit+0x33/0xa0\n   get_signal+0x155/0x850\n   arch_do_signal_or_restart+0xed/0x750\n   exit_to_user_mode_prepare+0xc5/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nIf kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by\nkvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of\nmarking a struct page as dirty/accessed after it has been put back on the\nfree list.  This directly triggers a WARN due to encountering a page with\npage_count() == 0, but it can also lead to data corruption and additional\nerrors in the kernel.\r\n\r\n  WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171\n  RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_set_pfn_dirty+0x120/0x1d0 [kvm]\n   __handle_changed_spte+0x92e/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   zap_gfn_range+0x549/0x620 [kvm]\n   kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm]\n   mmu_free_root_page+0x219/0x2c0 [kvm]\n   kvm_mmu_free_roots+0x1b4/0x4e0 [kvm]\n   kvm_mmu_unload+0x1c/0xa0 [kvm]\n   kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm]\n   kvm_put_kvm+0x3b1/0x8b0 [kvm]\n   kvm_vcpu_release+0x4e/0x70 [kvm]\n   __fput+0x1f7/0x8c0\n   task_work_run+0xf8/0x1a0\n   do_exit+0x97b/0x2230\n   do_group_exit+0xda/0x2a0\n   get_signal+0x3be/0x1e50\n   arch_do_signal_or_restart+0x244/0x17f0\n   exit_to_user_mode_prepare+0xcb/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x4d/0x90\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nNote, the underlying bug existed even before commit 1af4a96025b3 (\"KVM:\nx86/mmu: Yield in TDU MMU iter even if no SPTES changed\") moved calls to\ntdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still\nincorrectly advance past a top-level entry when yielding on a lower-level\nentry.  But with respect to leaking shadow pages, the bug was introduced\nby yielding before processing the current gfn.\r\n\r\nAlternatively, tdp_mmu_iter_cond_resched() could simply fall through, or\ncallers could jump to their \"retry\" label.  The downside of that approach\nis that tdp_mmu_iter_cond_resched() _must_ be called before anything else\nin the loop, and there's no easy way to enfornce that requirement.\r\n\r\nIdeally, KVM would handling the cond_resched() fully within the iterator\nmacro (the code is actually quite clean) and avoid this entire class of\nbugs, but that is extremely difficult do wh\n---truncated---(CVE-2021-47094)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\r\n\r\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\r\n\r\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\r\n\r\nnfc_llcp_sock_get_sn() has a similar problem.\r\n\r\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diNewExt\r\n\r\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n\r\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\r\n\r\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\r\n\r\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).(CVE-2023-52599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix uaf in jfs_evict_inode\r\n\r\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\r\n\r\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.(CVE-2023-52600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbAdjTree\r\n\r\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/(CVE-2023-52601)\r\n\r\nInteger Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.(CVE-2024-23307)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntomoyo: fix UAF write bug in tomoyo_write_control()\r\n\r\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held.  Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.(CVE-2024-26622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: call sock_orphan() at release time\r\n\r\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\r\n\r\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\r\n\r\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\r\n\r\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0xc4/0x620 mm/kasan/report.c:488\n  kasan_report+0xda/0x110 mm/kasan/report.c:601\n  list_empty include/linux/list.h:373 [inline]\n  waitqueue_active include/linux/wait.h:127 [inline]\n  sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n  sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n  skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n  skb_release_all net/core/skbuff.c:1092 [inline]\n  napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n  e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n  e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n  e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n  __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x956/0xe90 net/core/dev.c:6778\n  __do_softirq+0x21a/0x8de kernel/softirq.c:553\n  run_ksoftirqd kernel/softirq.c:921 [inline]\n  run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n  smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n  kthread+0x2c6/0x3a0 kernel/kthread.c:388\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\r\n\r\nAllocated by task 5167:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:314 [inline]\n  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3813 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n  alloc_inode_sb include/linux/fs.h:3019 [inline]\n  sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n  alloc_inode+0x5d/0x220 fs/inode.c:260\n  new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n  sock_alloc+0x40/0x270 net/socket.c:634\n  __sock_create+0xbc/0x800 net/socket.c:1535\n  sock_create net/socket.c:1622 [inline]\n  __sys_socket_create net/socket.c:1659 [inline]\n  __sys_socket+0x14c/0x260 net/socket.c:1706\n  __do_sys_socket net/socket.c:1720 [inline]\n  __se_sys_socket net/socket.c:1718 [inline]\n  __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFreed by task 0:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n  poison_slab_object mm/kasan/common.c:241 [inline]\n  __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2121 [inlin\n---truncated---(CVE-2024-26625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\r\n\r\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\r\n\r\nThis can be too heavy in case of recovery, such as:\r\n\r\n - N hardware queues\r\n\r\n - queue depth is M for each hardware queue\r\n\r\n - each scsi_host_busy() iterates over (N * M) tag/requests\r\n\r\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\r\n\r\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\r\n\r\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\r\n\r\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart](CVE-2024-26627)",
+    "cves": [
+      {
+        "id": "CVE-2024-26627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1767": {
+    "id": "openEuler-SA-2024-1767",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1767",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: mcba_usb: fix memory leak in mcba_usb\r\n\r\nSyzbot reported memory leak in SocketCAN driver for Microchip CAN BUS\nAnalyzer Tool. The problem was in unfreed usb_coherent.\r\n\r\nIn mcba_usb_start() 20 coherent buffers are allocated and there is\nnothing, that frees them:\r\n\r\n1) In callback function the urb is resubmitted and that's all\n2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER\n   is not set (see mcba_usb_start) and this flag cannot be used with\n   coherent buffers.\r\n\r\nFail log:\n| [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected\n| [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem)\r\n\r\nSo, all allocated buffers should be freed with usb_free_coherent()\nexplicitly\r\n\r\nNOTE:\nThe same pattern for allocating and freeing coherent buffers\nis used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c(CVE-2021-47231)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: fix Use-after-Free, hold skb ref while in use\r\n\r\nThis patch fixes a Use-after-Free found by the syzbot.\r\n\r\nThe problem is that a skb is taken from the per-session skb queue,\nwithout incrementing the ref count. This leads to a Use-after-Free if\nthe skb is taken concurrently from the session queue due to a CTS.(CVE-2021-47232)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbatman-adv: Avoid WARN_ON timing related checks\r\n\r\nThe soft/batadv interface for a queued OGM can be changed during the time\nthe OGM was queued for transmission and when the OGM is actually\ntransmitted by the worker.\r\n\r\nBut WARN_ON must be used to denote kernel bugs and not to print simple\nwarnings. A warning can simply be printed using pr_warn.(CVE-2021-47252)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()\r\n\r\nFix an 11-year old bug in ngene_command_config_free_buf() while\naddressing the following warnings caught with -Warray-bounds:\r\n\r\narch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\narch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\r\n\r\nThe problem is that the original code is trying to copy 6 bytes of\ndata into a one-byte size member _config_ of the wrong structue\nFW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a\nlegitimate compiler warning because memcpy() overruns the length\nof &com.cmd.ConfigureBuffers.config. It seems that the right\nstructure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains\n6 more members apart from the header _hdr_. Also, the name of\nthe function ngene_command_config_free_buf() suggests that the actual\nintention is to ConfigureFreeBuffers, instead of ConfigureBuffers\n(which takes place in the function ngene_command_config_buf(), above).\r\n\r\nFix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS\ninto new struct config, and use &com.cmd.ConfigureFreeBuffers.config as\nthe destination address, instead of &com.cmd.ConfigureBuffers.config,\nwhen calling memcpy().\r\n\r\nThis also helps with the ongoing efforts to globally enable\n-Warray-bounds and get us closer to being able to tighten the\nFORTIFY_SOURCE routines on memcpy().(CVE-2021-47288)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncoresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()\r\n\r\ncommit 6f755e85c332 (\"coresight: Add helper for inserting synchronization\npackets\") removed trailing '\\0' from barrier_pkt array and updated the\ncall sites like etb_update_buffer() to have proper checks for barrier_pkt\nsize before read but missed updating tmc_update_etf_buffer() which still\nreads barrier_pkt past the array size resulting in KASAN out-of-bounds\nbug. Fix this by adding a check for barrier_pkt size before accessing\nlike it is done in etb_update_buffer().\r\n\r\n BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698\n Read of size 4 at addr ffffffd05b7d1030 by task perf/2629\r\n\r\n Call trace:\n  dump_backtrace+0x0/0x27c\n  show_stack+0x20/0x2c\n  dump_stack+0x11c/0x188\n  print_address_description+0x3c/0x4a4\n  __kasan_report+0x140/0x164\n  kasan_report+0x10/0x18\n  __asan_report_load4_noabort+0x1c/0x24\n  tmc_update_etf_buffer+0x4b8/0x698\n  etm_event_stop+0x248/0x2d8\n  etm_event_del+0x20/0x2c\n  event_sched_out+0x214/0x6f0\n  group_sched_out+0xd0/0x270\n  ctx_sched_out+0x2ec/0x518\n  __perf_event_task_sched_out+0x4fc/0xe6c\n  __schedule+0x1094/0x16a0\n  preempt_schedule_irq+0x88/0x170\n  arm64_preempt_schedule_irq+0xf0/0x18c\n  el1_irq+0xe8/0x180\n  perf_event_exec+0x4d8/0x56c\n  setup_new_exec+0x204/0x400\n  load_elf_binary+0x72c/0x18c0\n  search_binary_handler+0x13c/0x420\n  load_script+0x500/0x6c4\n  search_binary_handler+0x13c/0x420\n  exec_binprm+0x118/0x654\n  __do_execve_file+0x77c/0xba4\n  __arm64_compat_sys_execve+0x98/0xac\n  el0_svc_common+0x1f8/0x5e0\n  el0_svc_compat_handler+0x84/0xb0\n  el0_svc_compat+0x10/0x50\r\n\r\n The buggy address belongs to the variable:\n  barrier_pkt+0x10/0x40\r\n\r\n Memory state around the buggy address:\n  ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00\n  ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03\n                                      ^\n  ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa\n  ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa\n ==================================================================(CVE-2021-47346)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwl1251: Fix possible buffer overflow in wl1251_cmd_scan\r\n\r\nFunction wl1251_cmd_scan calls memcpy without checking the length.\nHarden by checking the length is within the maximum allowed size.(CVE-2021-47347)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxhci: Fix command ring pointer corruption while aborting a command\r\n\r\nThe command ring pointer is located at [6:63] bits of the command\nring control register (CRCR). All the control bits like command stop,\nabort are located at [0:3] bits. While aborting a command, we read the\nCRCR and set the abort bit and write to the CRCR. The read will always\ngive command ring pointer as all zeros. So we essentially write only\nthe control bits. Since we split the 64 bit write into two 32 bit writes,\nthere is a possibility of xHC command ring stopped before the upper\ndword (all zeros) is written. If that happens, xHC updates the upper\ndword of its internal command ring pointer with all zeros. Next time,\nwhen the command ring is restarted, we see xHC memory access failures.\nFix this issue by only writing to the lower dword of CRCR where all\ncontrol bits are located.(CVE-2021-47434)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm, slub: fix potential memoryleak in kmem_cache_open()\r\n\r\nIn error path, the random_seq of slub cache might be leaked.  Fix this\nby using __kmem_cache_release() to release all the relevant resources.(CVE-2021-47466)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: Fix deadlock when adding SPI controllers on SPI buses\r\n\r\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled.  This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock.  Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\r\n\r\nThis can be easily triggered in the case of spi-mux.(CVE-2021-47469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix race between searching chunks and release journal_head from buffer_head\r\n\r\nEncountered a race between ocfs2_test_bg_bit_allocatable() and\njbd2_journal_put_journal_head() resulting in the below vmcore.\r\n\r\n  PID: 106879  TASK: ffff880244ba9c00  CPU: 2   COMMAND: \"loop3\"\n  Call trace:\n    panic\n    oops_end\n    no_context\n    __bad_area_nosemaphore\n    bad_area_nosemaphore\n    __do_page_fault\n    do_page_fault\n    page_fault\n      [exception RIP: ocfs2_block_group_find_clear_bits+316]\n    ocfs2_block_group_find_clear_bits [ocfs2]\n    ocfs2_cluster_group_search [ocfs2]\n    ocfs2_search_chain [ocfs2]\n    ocfs2_claim_suballoc_bits [ocfs2]\n    __ocfs2_claim_clusters [ocfs2]\n    ocfs2_claim_clusters [ocfs2]\n    ocfs2_local_alloc_slide_window [ocfs2]\n    ocfs2_reserve_local_alloc_bits [ocfs2]\n    ocfs2_reserve_clusters_with_limit [ocfs2]\n    ocfs2_reserve_clusters [ocfs2]\n    ocfs2_lock_refcount_allocators [ocfs2]\n    ocfs2_make_clusters_writable [ocfs2]\n    ocfs2_replace_cow [ocfs2]\n    ocfs2_refcount_cow [ocfs2]\n    ocfs2_file_write_iter [ocfs2]\n    lo_rw_aio\n    loop_queue_work\n    kthread_worker_fn\n    kthread\n    ret_from_fork\r\n\r\nWhen ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the\nbg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and\nreleased the jounal head from the buffer head.  Needed to take bit lock\nfor the bit 'BH_JournalHead' to fix this race.(CVE-2021-47493)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: mma8452: Fix trigger reference couting\r\n\r\nThe mma8452 driver directly assigns a trigger to the struct iio_dev. The\nIIO core when done using this trigger will call `iio_trigger_put()` to drop\nthe reference count by 1.\r\n\r\nWithout the matching `iio_trigger_get()` in the driver the reference count\ncan reach 0 too early, the trigger gets freed while still in use and a\nuse-after-free occurs.\r\n\r\nFix this by getting a reference to the trigger before assigning it to the\nIIO device.(CVE-2021-47500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: sja1000: fix use after free in ems_pcmcia_add_card()\r\n\r\nIf the last channel is not available then \"dev\" is freed.  Fortunately,\nwe can just use \"pdev->irq\" instead.\r\n\r\nAlso we should check if at least one channel was set up.(CVE-2021-47521)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: mpt3sas: Fix kernel panic during drive powercycle test\r\n\r\nWhile looping over shost's sdev list it is possible that one\nof the drives is getting removed and its sas_target object is\nfreed but its sdev object remains intact.\r\n\r\nConsequently, a kernel panic can occur while the driver is trying to access\nthe sas_address field of sas_target object without also checking the\nsas_target object for NULL.(CVE-2021-47565)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet_diag: fix kernel-infoleak for UDP sockets\r\n\r\nKMSAN reported a kernel-infoleak [1], that can exploited\nby unpriv users.\r\n\r\nAfter analysis it turned out UDP was not initializing\nr->idiag_expires. Other users of inet_sk_diag_fill()\nmight make the same mistake in the future, so fix this\nin inet_sk_diag_fill().\r\n\r\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n copyout lib/iov_iter.c:156 [inline]\n _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670\n copy_to_iter include/linux/uio.h:155 [inline]\n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519\n __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425\n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533\n skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]\n netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974\n sock_recvmsg_nosec net/socket.c:944 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n sock_read_iter+0x5a9/0x630 net/socket.c:1035\n call_read_iter include/linux/fs.h:2156 [inline]\n new_sync_read fs/read_write.c:400 [inline]\n vfs_read+0x1631/0x1980 fs/read_write.c:481\n ksys_read+0x28c/0x520 fs/read_write.c:619\n __do_sys_read fs/read_write.c:629 [inline]\n __se_sys_read fs/read_write.c:627 [inline]\n __x64_sys_read+0xdb/0x120 fs/read_write.c:627\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1126 [inline]\n netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245\n __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:254 [inline]\n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343\n sock_diag_rcv_msg+0x24a/0x620\n netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491\n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg net/socket.c:724 [inline]\n sock_write_iter+0x594/0x690 net/socket.c:1057\n do_iter_readv_writev+0xa7f/0xc70\n do_iter_write+0x52c/0x1500 fs/read_write.c:851\n vfs_writev fs/read_write.c:924 [inline]\n do_writev+0x63f/0xe30 fs/read_write.c:967\n __do_sys_writev fs/read_write.c:1040 [inline]\n __se_sys_writev fs/read_write.c:1037 [inline]\n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nBytes 68-71 of 312 are uninitialized\nMemory access of size 312 starts at ffff88812ab54000\nData copied to user address 0000000020001440\r\n\r\nCPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011(CVE-2021-47597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scpi: Fix string overflow in SCPI genpd driver\r\n\r\nWithout the bound checks for scpi_pd->name, it could result in the buffer\noverflow when copying the SCPI device name from the corresponding device\ntree node as the name string is set at maximum size of 30.\r\n\r\nLet us fix it by using devm_kasprintf so that the string buffer is\nallocated dynamically.(CVE-2021-47609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()\r\n\r\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range.(CVE-2022-48737)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06\r\n\r\nJohan reported the below crash with test_bpf on ppc64 e5500:\r\n\r\n  test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1\n  Oops: Exception in kernel mode, sig: 4 [#1]\n  BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500\n  Modules linked in: test_bpf(+)\n  CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1\n  NIP:  8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18\n  REGS: c0000000032d3420 TRAP: 0700   Not tainted (5.14.0-03771-g98c2059e008a-dirty)\n  MSR:  0000000080089000 <EE,ME>  CR: 88002822  XER: 20000000 IRQMASK: 0\n  <...>\n  NIP [8000000000061c3c] 0x8000000000061c3c\n  LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]\n  Call Trace:\n   .__run_one+0x60/0x17c [test_bpf] (unreliable)\n   .test_bpf_init+0x6a8/0xdc8 [test_bpf]\n   .do_one_initcall+0x6c/0x28c\n   .do_init_module+0x68/0x28c\n   .load_module+0x2460/0x2abc\n   .__do_sys_init_module+0x120/0x18c\n   .system_call_exception+0x110/0x1b8\n   system_call_common+0xf0/0x210\n  --- interrupt: c00 at 0x101d0acc\n  <...>\n  ---[ end trace 47b2bf19090bb3d0 ]---\r\n\r\n  Illegal instruction\r\n\r\nThe illegal instruction turned out to be 'ldbrx' emitted for\nBPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of\nthe same and implement an alternative approach for older processors.(CVE-2022-48755)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/msm/dsi: invalid parameter check in msm_dsi_phy_enable\r\n\r\nThe function performs a check on the \"phy\" input parameter, however, it\nis used before the check.\r\n\r\nInitialize the \"dev\" variable after the sanity check to avoid a possible\nNULL pointer dereference.\r\n\r\nAddresses-Coverity-ID: 1493860 (\"Null pointer dereference\")(CVE-2022-48756)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrpmsg: virtio: Free driver_override when rpmsg_remove()\r\n\r\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\r\n\r\nunreferenced object 0xffff0000d55d7080 (size 128):\n  comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n  hex dump (first 32 bytes):\n    72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00  rpmsg_ns........\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n    [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n    [<00000000228a60c3>] kstrndup+0x4c/0x90\n    [<0000000077158695>] driver_set_override+0xd0/0x164\n    [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n    [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n    [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n    [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n    [<00000000443331cc>] really_probe+0xbc/0x2dc\n    [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n    [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n    [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n    [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n    [<000000003b929a36>] __device_attach+0x9c/0x19c\n    [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n    [<000000003c999637>] bus_probe_device+0xa0/0xac(CVE-2023-52670)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFix page corruption caused by racy check in __free_pages\r\n\r\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\r\n\r\n  BUG: Bad page state in process ganesha.nfsd  pfn:1304ca\n  page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n  flags: 0x17ffffc0000000()\n  raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n  raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n  page dumped because: nonzero mapcount\n  CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P    B      O      5.10.158-1.nutanix.20221209.el7.x86_64 #1\n  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n  Call Trace:\n   dump_stack+0x74/0x96\n   bad_page.cold+0x63/0x94\n   check_new_page_bad+0x6d/0x80\n   rmqueue+0x46e/0x970\n   get_page_from_freelist+0xcb/0x3f0\n   ? _cond_resched+0x19/0x40\n   __alloc_pages_nodemask+0x164/0x300\n   alloc_pages_current+0x87/0xf0\n   skb_page_frag_refill+0x84/0x110\n   ...\r\n\r\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\r\n\r\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\r\n\r\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\r\n\r\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page.  So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.(CVE-2023-52739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\natl1c: Work around the DMA RX overflow issue\r\n\r\nThis is based on alx driver commit 881d0327db37 (\"net: alx: Work around\nthe DMA RX overflow issue\").\r\n\r\nThe alx and atl1c drivers had RX overflow error which was why a custom\nallocator was created to avoid certain addresses. The simpler workaround\nthen created for alx driver, but not for atl1c due to lack of tester.\r\n\r\nInstead of using a custom allocator, check the allocated skb address and\nuse skb_reserve() to move away from problematic 0x...fc0 address.\r\n\r\nTested on AR8131 on Acer 4540.(CVE-2023-52834)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhid: cp2112: Fix duplicate workqueue initialization\r\n\r\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\r\n\r\nInitialize the workqueue within _probe instead.(CVE-2023-52853)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: Stop parsing channels bits when all channels are found.\r\n\r\nIf a usb audio device sets more bits than the amount of channels\nit could write outside of the map array.(CVE-2024-27436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: tc358743: register v4l2 async device only after successful setup\r\n\r\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.(CVE-2024-35830)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete\r\n\r\nFFS based applications can utilize the aio_cancel() callback to dequeue\npending USB requests submitted to the UDC.  There is a scenario where the\nFFS application issues an AIO cancel call, while the UDC is handling a\nsoft disconnect.  For a DWC3 based implementation, the callstack looks\nlike the following:\r\n\r\n    DWC3 Gadget                               FFS Application\ndwc3_gadget_soft_disconnect()              ...\n  --> dwc3_stop_active_transfers()\n    --> dwc3_gadget_giveback(-ESHUTDOWN)\n      --> ffs_epfile_async_io_complete()   ffs_aio_cancel()\n        --> usb_ep_free_request()            --> usb_ep_dequeue()\r\n\r\nThere is currently no locking implemented between the AIO completion\nhandler and AIO cancel, so the issue occurs if the completion routine is\nrunning in parallel to an AIO cancel call coming from the FFS application.\nAs the completion call frees the USB request (io_data->req) the FFS\napplication is also referencing it for the usb_ep_dequeue() call.  This can\nlead to accessing a stale/hanging pointer.\r\n\r\ncommit b566d38857fc (\"usb: gadget: f_fs: use io_data->status consistently\")\nrelocated the usb_ep_free_request() into ffs_epfile_async_io_complete().\nHowever, in order to properly implement locking to mitigate this issue, the\nspinlock can't be added to ffs_epfile_async_io_complete(), as\nusb_ep_dequeue() (if successfully dequeuing a USB request) will call the\nfunction driver's completion handler in the same context.  Hence, leading\ninto a deadlock.\r\n\r\nFix this issue by moving the usb_ep_free_request() back to\nffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req\nto NULL after freeing it within the ffs->eps_lock.  This resolves the race\ncondition above, as the ffs_aio_cancel() routine will not continue\nattempting to dequeue a request that has already been freed, or the\nffs_user_copy_work() not freeing the USB request until the AIO cancel is\ndone referencing it.\r\n\r\nThis fix depends on\n  commit b566d38857fc (\"usb: gadget: f_fs: use io_data->status\n  consistently\")(CVE-2024-36894)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: nl80211: don't free NULL coalescing rule\r\n\r\nIf the parsing fails, we can dereference a NULL pointer here.(CVE-2024-36941)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\r\n\r\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\r\n\r\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\r\n\r\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\r\n\r\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\r\n\r\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\r\n\r\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.(CVE-2024-36950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix __dst_negative_advice() race\r\n\r\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\r\n\r\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\r\n\r\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\r\n\r\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\r\n\r\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\r\n\r\nMany thanks to Clement Lecigne for tracking this issue.\r\n\r\nThis old bug became visible after the blamed commit, using UDP sockets.(CVE-2024-36971)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: xmit: make sure we have at least eth header len bytes\r\n\r\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\r\n\r\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\r\n\r\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-38538)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nof: module: add buffer overflow check in of_modalias()\r\n\r\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).(CVE-2024-38541)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential index out of bounds in color transformation function\r\n\r\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\r\n\r\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\r\n\r\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nftrace: Fix possible use-after-free issue in ftrace_location()\r\n\r\nKASAN reports a bug:\r\n\r\n  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n  Read of size 8 at addr ffff888141d40010 by task insmod/424\n  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+\n  [...]\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x68/0xa0\n   print_report+0xcf/0x610\n   kasan_report+0xb5/0xe0\n   ftrace_location+0x90/0x120\n   register_kprobe+0x14b/0xa40\n   kprobe_init+0x2d/0xff0 [kprobe_example]\n   do_one_initcall+0x8f/0x2d0\n   do_init_module+0x13a/0x3c0\n   load_module+0x3082/0x33d0\n   init_module_from_file+0xd2/0x130\n   __x64_sys_finit_module+0x306/0x440\n   do_syscall_64+0x68/0x140\n   entry_SYSCALL_64_after_hwframe+0x71/0x79\r\n\r\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\r\n\r\n           CPU1                       |      CPU2\n  register_kprobes() {                | delete_module() {\n    check_kprobe_address_safe() {     |\n      arch_check_ftrace_location() {  |\n        ftrace_location() {           |\n          lookup_rec() // USE!        |   ftrace_release_mod() // Free!\r\n\r\nTo fix this issue:\n  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n  2. Use ftrace_location_range() instead of lookup_rec() in\n     ftrace_location();\n  3. Call synchronize_rcu() before freeing any ftrace pages both in\n     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().(CVE-2024-38588)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\r\n\r\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\r\n\r\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\r\n\r\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tvalue changed: 0x01 -> 0x03\r\n\r\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\r\n\r\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in(CVE-2024-38596)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmacintosh/via-macii: Fix \"BUG: sleeping function called from invalid context\"\r\n\r\nThe via-macii ADB driver calls request_irq() after disabling hard\ninterrupts. But disabling interrupts isn't necessary here because the\nVIA shift register interrupt was masked during VIA1 initialization.(CVE-2024-38607)",
+    "cves": [
+      {
+        "id": "CVE-2024-38607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38607",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1411": {
+    "id": "openEuler-SA-2021-1411",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1411",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nAn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3593)\r\n\r\nAn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3592)\r\n\r\nAn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3595)",
+    "cves": [
+      {
+        "id": "CVE-2021-3595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3595",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1594": {
+    "id": "openEuler-SA-2023-1594",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1594",
+    "title": "An update for binutils is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nAn illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.(CVE-2022-4285)\r\n\r\nGNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064)\r\n\r\nA potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.(CVE-2023-1972)",
+    "cves": [
+      {
+        "id": "CVE-2023-1972",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1837": {
+    "id": "openEuler-SA-2024-1837",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1837",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9170/1: fix panic when kasan and kprobe are enabled\r\n\r\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\r\n\r\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\r\n\r\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n<cap_capable>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108    ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144]  ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108]  ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 <emulate_ldr>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60     ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc <emulate_ldr+0x38>\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 <emulate_ldr+0xac>\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64     ; 0x40\n......\r\n\r\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c\nr10: 00000000  r9 : c30897f4  r8 : ecd63cd4\nr7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98\nr3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008\nFlags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user\nControl: 32c5387d  Table: 2d546400  DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issue of net_device\r\n\r\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\r\n\r\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential hang in nilfs_detach_log_writer()\r\n\r\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\r\n\r\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\r\n\r\nnilfs_detach_log_writer\n  nilfs_segctor_destroy\n    nilfs_segctor_kill_thread  --> Shut down log writer thread\n    flush_work\n      nilfs_iput_work_func\n        nilfs_dispose_list\n          iput\n            nilfs_evict_inode\n              nilfs_transaction_commit\n                nilfs_construct_segment (if inode needs sync)\n                  nilfs_segctor_sync  --> Attempt to synchronize with\n                                          log writer thread\n                           *** DEADLOCK ***\r\n\r\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\r\n\r\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix use-after-free of timer for log writer thread\r\n\r\nPatch series \"nilfs2: fix log writer related issues\".\r\n\r\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis.  Details are described in each commit log.\r\n\r\n\nThis patch (of 3):\r\n\r\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\r\n\r\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\r\n\r\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Check 'folio' pointer for NULL\r\n\r\nIt can be NULL if bmap is called.(CVE-2024-38625)",
+    "cves": [
+      {
+        "id": "CVE-2024-38625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1118": {
+    "id": "openEuler-SA-2024-1118",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1118",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.(CVE-2023-40547)\r\n\r\nA buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.(CVE-2023-40548)\r\n\r\nAn out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.(CVE-2023-40549)\r\n\r\nAn out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.(CVE-2023-40550)\r\n\r\nA flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)",
+    "cves": [
+      {
+        "id": "CVE-2023-40551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1736": {
+    "id": "openEuler-SA-2022-1736",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1736",
+    "title": "An update for gstreamer1-plugins-good is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GStreamer is a streaming media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related.  Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plugins.\r\n\r\nSecurity Fix(es):\r\n\r\nPotential heap overwrite in the mkv demuxer when handling certain Matroska files in GStreamer versions before 1.20.3.(CVE-2022-1920)\r\n\r\nPotential heap overwrite in the qt demuxer when handling certain QuickTime/MP4 files in GStreamer versions before 1.20.3.(CVE-2022-2122)\r\n\r\nHeap-based buffer overflow in the avi demuxer when handling certain AVI files in GStreamer versions before 1.20.3.(CVE-2022-1921)\r\n\r\nPotential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3.(CVE-2022-1922)\r\n\r\nPotential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3.(CVE-2022-1923)\r\n\r\nPotential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3.(CVE-2022-1924)\r\n\r\nPotential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3.(CVE-2022-1925)",
+    "cves": [
+      {
+        "id": "CVE-2022-1925",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1925",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1427": {
+    "id": "openEuler-SA-2024-1427",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1427",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666)",
+    "cves": [
+      {
+        "id": "CVE-2023-0666",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1909": {
+    "id": "openEuler-SA-2023-1909",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1909",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\ntwisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.(CVE-2022-21712)\r\n\r\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.(CVE-2022-21716)\r\n\r\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.(CVE-2022-24801)\r\n\r\nTwisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.(CVE-2022-39348)",
+    "cves": [
+      {
+        "id": "CVE-2022-39348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39348",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1281": {
+    "id": "openEuler-SA-2021-1281",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1281",
+    "title": "An update for python-reportlab is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The ReportLab Toolkit. An Open Source Python library for generating PDFs and graphics.\r\n\r\nSecurity Fix(es):\r\n\r\nReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color=\"' followed by arbitrary Python code.(CVE-2019-17626)",
+    "cves": [
+      {
+        "id": "CVE-2019-17626",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17626",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1330": {
+    "id": "openEuler-SA-2021-1330",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1330",
+    "title": "An update for OpenSSL is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIn order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).(CVE-2021-3711)\r\n\r\nASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).(CVE-2021-3712)",
+    "cves": [
+      {
+        "id": "CVE-2021-3712",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1577": {
+    "id": "openEuler-SA-2023-1577",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1577",
+    "title": "An update for postgresql is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nIN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)",
+    "cves": [
+      {
+        "id": "CVE-2023-39417",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1296": {
+    "id": "openEuler-SA-2024-1296",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1296",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix use after free on context disconnection\r\n\r\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.(CVE-2023-52445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\r\n\r\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\r\n\r\nubi_gluebi_init\n  ubi_register_volume_notifier\n    ubi_enumerate_volumes\n      ubi_notify_all\n        gluebi_notify    nb->notifier_call()\n          gluebi_create\n            mtd_device_register\n              mtd_device_parse_register\n                add_mtd_device\n                  blktrans_notify_add   not->add()\n                    ftl_add_mtd         tr->add_mtd()\n                      scan_header\n                        mtd_read\n                          mtd_read_oob\n                            mtd_read_oob_std\n                              gluebi_read   mtd->read()\n                                gluebi->desc - NULL\r\n\r\nDetailed reproduction information available at the Link [1],\r\n\r\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\r\n\r\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.(CVE-2023-52449)",
+    "cves": [
+      {
+        "id": "CVE-2023-52449",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52449",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1332": {
+    "id": "openEuler-SA-2024-1332",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1332",
+    "title": "An update for python-yaql is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "YAQL (Yet Another Query Language) is an embeddable and extensible query language, that allows performing complex queries against arbitrary objects. It has a vast and comprehensive standard library of frequently used querying functions and can be extend even further with user-specified functions. YAQL is written in python and is distributed via PyPI.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.(CVE-2024-29156)",
+    "cves": [
+      {
+        "id": "CVE-2024-29156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1819": {
+    "id": "openEuler-SA-2022-1819",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1819",
+    "title": "An update for libdwarf is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libdwarf. A possible memory leak allows an attacker to input a specially crafted file, leading to a crash. The highest threat from this vulnerability is to system availability.(CVE-2020-27545)\r\n\r\nA flaw was found in libdwarf. A possible null pointer dereference vulnerability allows an attacker to input a specially crafted file, leading to a crash. The highest threat from this vulnerability is to system availability.(CVE-2020-28163)",
+    "cves": [
+      {
+        "id": "CVE-2020-28163",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28163",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1403": {
+    "id": "openEuler-SA-2024-1403",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1403",
+    "title": "An update for nodejs-qs is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.\r\n\r\nSecurity Fix(es):\r\n\r\nqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).(CVE-2022-24999)",
+    "cves": [
+      {
+        "id": "CVE-2022-24999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1889": {
+    "id": "openEuler-SA-2023-1889",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1889",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.(CVE-2023-1193)",
+    "cves": [
+      {
+        "id": "CVE-2023-1193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1553": {
+    "id": "openEuler-SA-2024-1553",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1553",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nFaulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.\r\n\r\nThis issue affects Apache HTTP Server: through 2.4.58.\n(CVE-2023-38709)\r\n\r\nHTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.\r\n\r\nUsers are recommended to upgrade to version 2.4.59, which fixes this issue.(CVE-2024-24795)\r\n\r\nHTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.(CVE-2024-27316)",
+    "cves": [
+      {
+        "id": "CVE-2024-27316",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27316",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1577": {
+    "id": "openEuler-SA-2024-1577",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1577",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\r\n\r\n(CVE-2024-3177)",
+    "cves": [
+      {
+        "id": "CVE-2024-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1854": {
+    "id": "openEuler-SA-2024-1854",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1854",
+    "title": "An update for httpd is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nServing WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.(CVE-2024-36387)\r\n\r\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\r\n\r\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\r\n\r\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\r\n\r\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
+    "cves": [
+      {
+        "id": "CVE-2024-36387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36387",
+        "severity": "None"
+      },
+      {
+        "id": "CVE-2024-38477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1684": {
+    "id": "openEuler-SA-2023-1684",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1684",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nThere exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. \n(CVE-2023-1999)",
+    "cves": [
+      {
+        "id": "CVE-2023-1999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1448": {
+    "id": "openEuler-SA-2023-1448",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1448",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.(CVE-2022-45886)\n\nA use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.\n\nMishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.\n\nWe recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.(CVE-2023-3390)\n\nLinux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace(CVE-2023-35001)",
+    "cves": [
+      {
+        "id": "CVE-2023-35001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35001",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1598": {
+    "id": "openEuler-SA-2024-1598",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1598",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.(CVE-2024-0229)\r\n\r\nA flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.(CVE-2024-0409)",
+    "cves": [
+      {
+        "id": "CVE-2024-0409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1497": {
+    "id": "openEuler-SA-2024-1497",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1497",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvt: fix memory overlapping when deleting chars in the buffer\r\n\r\nA memory overlapping copy occurs when deleting a long line. This memory\noverlapping copy can cause data corruption when scr_memcpyw is optimized\nto memcpy because memcpy does not ensure its behavior if the destination\nbuffer overlaps with the source buffer. The line buffer is not always\nbroken, because the memcpy utilizes the hardware acceleration, whose\nresult is not deterministic.\r\n\r\nFix this problem by using replacing the scr_memcpyw with scr_memmovew.(CVE-2022-48627)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qcom-rng - ensure buffer for generate is completely filled\r\n\r\nThe generate function in struct rng_alg expects that the destination\nbuffer is completely filled if the function returns 0. qcom_rng_read()\ncan run into a situation where the buffer is partially filled with\nrandomness and the remaining part of the buffer is zeroed since\nqcom_rng_generate() doesn't check the return value. This issue can\nbe reproduced by running the following from libkcapi:\r\n\r\n    kcapi-rng -b 9000000 > OUTFILE\r\n\r\nThe generated OUTFILE will have three huge sections that contain all\nzeros, and this is caused by the code where the test\n'val & PRNG_STATUS_DATA_AVAIL' fails.\r\n\r\nLet's fix this issue by ensuring that qcom_rng_read() always returns\nwith a full buffer if the function returns success. Let's also have\nqcom_rng_generate() return the correct value.\r\n\r\nHere's some statistics from the ent project\n(https://www.fourmilab.ch/random/) that shows information about the\nquality of the generated numbers:\r\n\r\n    $ ent -c qcom-random-before\n    Value Char Occurrences Fraction\n      0           606748   0.067416\n      1            33104   0.003678\n      2            33001   0.003667\n    ...\n    253   �        32883   0.003654\n    254   �        33035   0.003671\n    255   �        33239   0.003693\r\n\r\n    Total:       9000000   1.000000\r\n\r\n    Entropy = 7.811590 bits per byte.\r\n\r\n    Optimum compression would reduce the size\n    of this 9000000 byte file by 2 percent.\r\n\r\n    Chi square distribution for 9000000 samples is 9329962.81, and\n    randomly would exceed this value less than 0.01 percent of the\n    times.\r\n\r\n    Arithmetic mean value of data bytes is 119.3731 (127.5 = random).\n    Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).\n    Serial correlation coefficient is 0.159130 (totally uncorrelated =\n    0.0).\r\n\r\nWithout this patch, the results of the chi-square test is 0.01%, and\nthe numbers are certainly not random according to ent's project page.\nThe results improve with this patch:\r\n\r\n    $ ent -c qcom-random-after\n    Value Char Occurrences Fraction\n      0            35432   0.003937\n      1            35127   0.003903\n      2            35424   0.003936\n    ...\n    253   �        35201   0.003911\n    254   �        34835   0.003871\n    255   �        35368   0.003930\r\n\r\n    Total:       9000000   1.000000\r\n\r\n    Entropy = 7.999979 bits per byte.\r\n\r\n    Optimum compression would reduce the size\n    of this 9000000 byte file by 0 percent.\r\n\r\n    Chi square distribution for 9000000 samples is 258.77, and randomly\n    would exceed this value 42.24 percent of the times.\r\n\r\n    Arithmetic mean value of data bytes is 127.5006 (127.5 = random).\n    Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).\n    Serial correlation coefficient is 0.000468 (totally uncorrelated =\n    0.0).\r\n\r\nThis change was tested on a Nexus 5 phone (msm8974 SoC).(CVE-2022-48629)\r\n\r\nThe brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.(CVE-2023-47233)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\r\n\r\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\r\n\r\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\r\n\r\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.(CVE-2023-52486)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/alternatives: Disable KASAN in apply_alternatives()\r\n\r\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\r\n\r\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\r\n\r\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\r\n\r\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\r\n\r\nFix it for real by disabling KASAN while the kernel is patching alternatives.\r\n\r\n[ mingo: updated the changelog ](CVE-2023-52504)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: llcp: Add lock when modifying device list\r\n\r\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.(CVE-2023-52524)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2023-52607)\r\n\r\nA null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.(CVE-2023-7042)\r\n\r\nA race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24861)\r\n\r\ncreate_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.(CVE-2024-25739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\r\n\r\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\r\n\r\n- run nginx/wrk test:\n  smc_run nginx\n  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>\r\n\r\n- continuously dump SMC-D connections in parallel:\n  watch -n 1 'smcss -D'\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE      6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n  <TASK>\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x66/0x150\n  ? exc_page_fault+0x69/0x140\n  ? asm_exc_page_fault+0x26/0x30\n  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n  ? __kmalloc_node_track_caller+0x35d/0x430\n  ? __alloc_skb+0x77/0x170\n  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n  smc_diag_dump+0x26/0x60 [smc_diag]\n  netlink_dump+0x19f/0x320\n  __netlink_dump_start+0x1dc/0x300\n  smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n  sock_diag_rcv_msg+0x121/0x140\n  ? __pfx_sock_diag_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x5a/0x110\n  sock_diag_rcv+0x28/0x40\n  netlink_unicast+0x22a/0x330\n  netlink_sendmsg+0x1f8/0x420\n  __sock_sendmsg+0xb0/0xc0\n  ____sys_sendmsg+0x24e/0x300\n  ? copy_msghdr_from_user+0x62/0x80\n  ___sys_sendmsg+0x7c/0xd0\n  ? __do_fault+0x34/0x160\n  ? do_read_fault+0x5f/0x100\n  ? do_fault+0xb0/0x110\n  ? __handle_mm_fault+0x2b0/0x6c0\n  __sys_sendmsg+0x4d/0x80\n  do_syscall_64+0x69/0x180\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.(CVE-2024-26615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\r\n\r\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\r\n\r\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\r\n\r\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard->channel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard->channel-> //USE\r\n\r\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.(CVE-2024-26654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: Check the bearer type before calling tipc_udp_nl_bearer_add()\r\n\r\nsyzbot reported the following general protection fault [1]:\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]\n...\nRIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291\n...\nCall Trace:\n <TASK>\n tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646\n tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089\n genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972\n genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]\n genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n __sys_sendmsg+0x117/0x1e0 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nThe cause of this issue is that when tipc_nl_bearer_add() is called with\nthe TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called\neven if the bearer is not UDP.\r\n\r\ntipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that\nthe media_ptr field of the tipc_bearer has an udp_bearer type object, so\nthe function goes crazy for non-UDP bearers.\r\n\r\nThis patch fixes the issue by checking the bearer type before calling\ntipc_udp_nl_bearer_add() in tipc_nl_bearer_add().(CVE-2024-26663)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\r\n\r\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\r\n\r\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio.  Thus causing a deadlock.\r\n\r\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty.  Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed.  Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\r\n\r\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\r\n\r\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.(CVE-2024-26696)",
+    "cves": [
+      {
+        "id": "CVE-2024-26696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1528": {
+    "id": "openEuler-SA-2023-1528",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1528",
+    "title": "An update for krb5 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.(CVE-2023-36054)",
+    "cves": [
+      {
+        "id": "CVE-2023-36054",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1514": {
+    "id": "openEuler-SA-2023-1514",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1514",
+    "title": "An update for procps-ng is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The procps package contains a set of system utilities that provide system information. Procps includes ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, pidof, pmap, slabtop, w, watch and pwdx.\r\n\r\nSecurity Fix(es):\r\n\r\nUnder some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.(CVE-2023-4016)",
+    "cves": [
+      {
+        "id": "CVE-2023-4016",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4016",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1244": {
+    "id": "openEuler-SA-2021-1244",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1244",
+    "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.(CVE-2020-25710)",
+    "cves": [
+      {
+        "id": "CVE-2020-25710",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25710",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1253": {
+    "id": "openEuler-SA-2023-1253",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1253",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.(CVE-2022-1015)\r\n\r\nAn out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).(CVE-2022-36280)\r\n\r\nAn issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.(CVE-2023-30456)\r\n\r\nA use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.(CVE-2023-1989)\r\n\r\nA use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\r\n\r\n(CVE-2023-1829)",
+    "cves": [
+      {
+        "id": "CVE-2023-1829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1150": {
+    "id": "openEuler-SA-2024-1150",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1150",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1618": {
+    "id": "openEuler-SA-2024-1618",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1618",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntun: avoid double free in tun_free_netdev\r\n\r\nAvoid double free in tun_free_netdev() by moving the\ndev->tstats and tun->security allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there's an error in register_netdevice() the destructor\nwill handle the frees.\r\n\r\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\r\n\r\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae(CVE-2021-47082)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/kvm: Disable kvmclock on all CPUs on shutdown\r\n\r\nCurrenly, we disable kvmclock from machine_shutdown() hook and this\nonly happens for boot CPU. We need to disable it for all CPUs to\nguard against memory corruption e.g. on restore from hibernate.\r\n\r\nNote, writing '0' to kvmclock MSR doesn't clear memory location, it\njust prevents hypervisor from updating the location so for the short\nwhile after write and while CPU is still alive, the clock remains usable\nand correct so we don't need to switch to some other clocksource.(CVE-2021-47110)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni40e: Fix NULL ptr dereference on VSI filter sync\r\n\r\nRemove the reason of null pointer dereference in sync VSI filters.\nAdded new I40E_VSI_RELEASING flag to signalize deleting and releasing\nof VSI resources to sync this thread with sync filters subtask.\nWithout this patch it is possible to start update the VSI filter list\nafter VSI is removed, that's causing a kernel oops.(CVE-2021-47184)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nerofs: fix pcluster use-after-free on UP platforms\r\n\r\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\r\n\r\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\r\n\r\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n <TASK>\n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\r\n\r\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\r\n\r\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\r\n\r\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead.(CVE-2022-48674)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path.  This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng.  The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow timeout for anonymous sets\r\n\r\nNever used from userspace, disallow these parameters.(CVE-2023-52620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[   57.202521] =============================\n[   57.202522] WARNING: suspicious RCU usage\n[   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[   57.202525] -----------------------------\n[   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[   57.202527]\n               other info that might help us debug this:\r\n\r\n[   57.202528]\n               rcu_scheduler_active = 2, debug_locks = 1\n[   57.202529] no locks held by test5/3567.\n[   57.202530]\n               stack backtrace:\n[   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[   57.202536] Call Trace:\n[   57.202537]  <TASK>\n[   57.202540]  dump_stack_lvl+0x77/0xb0\n[   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0\n[   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202866]  write_cache_pages+0x265/0x450\n[   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202913]  do_writepages+0xd2/0x230\n[   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80\n[   57.202921]  filemap_fdatawrite_wbc+0x67/0x80\n[   57.202924]  filemap_write_and_wait_range+0xd9/0x170\n[   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202969]  __se_sys_close+0x46/0xd0\n[   57.202972]  do_syscall_64+0x68/0x100\n[   57.202975]  ? do_syscall_64+0x77/0x100\n[   57.202976]  ? do_syscall_64+0x77/0x100\n[   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[   57.202982] RIP: 0033:0x7fe2b12e4a94\n[   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[   57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n        echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n        echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428\n<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c\n<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428\nkworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227\nvendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532\nvendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428\nxxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][    C4] Mem abort info:\n[ 9436.261666][    C4]   ESR = 0x96000044\n[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][    C4]   SET = 0, FnV = 0\n[ 9436.261673][    C4]   EA = 0, S1PTW = 0\n[ 9436.261675][    C4] Data abort info:\n[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044\n[ 9436.261680][    C4]   CM = 0, WnR = 1\n[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)\n[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][    C4] sp : ffffffc010023dd0\n[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\r\n\r\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\r\n\r\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\r\n\r\n CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n  print_report+0xd3/0x620\n  ? kasan_complete_mode_report_info+0x7d/0x200\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  kasan_report+0xc2/0x100\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  __asan_load4+0x84/0xb0\n  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  j1939_sk_recv+0x20b/0x320 [can_j1939]\n  ? __kasan_check_write+0x18/0x20\n  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n  ? j1939_simple_recv+0x69/0x280 [can_j1939]\n  ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n  j1939_can_recv+0x43f/0x580 [can_j1939]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  ? raw_rcv+0x42/0x3c0 [can_raw]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  can_rcv_filter+0x11f/0x350 [can]\n  can_receive+0x12f/0x190 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  can_rcv+0xdd/0x130 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  __netif_receive_skb_one_core+0x13d/0x150\n  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n  ? __kasan_check_write+0x18/0x20\n  ? _raw_spin_lock_irq+0x8c/0xe0\n  __netif_receive_skb+0x23/0xb0\n  process_backlog+0x107/0x260\n  __napi_poll+0x69/0x310\n  net_rx_action+0x2a1/0x580\n  ? __pfx_net_rx_action+0x10/0x10\n  ? __pfx__raw_spin_lock+0x10/0x10\n  ? handle_irq_event+0x7d/0xa0\n  __do_softirq+0xf3/0x3f8\n  do_softirq+0x53/0x80\n  </IRQ>\n  <TASK>\n  __local_bh_enable_ip+0x6e/0x70\n  netif_rx+0x16b/0x180\n  can_send+0x32b/0x520 [can]\n  ? __pfx_can_send+0x10/0x10 [can]\n  ? __check_object_size+0x299/0x410\n  raw_sendmsg+0x572/0x6d0 [can_raw]\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  ? apparmor_socket_sendmsg+0x2f/0x40\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  sock_sendmsg+0xef/0x100\n  sock_write_iter+0x162/0x220\n  ? __pfx_sock_write_iter+0x10/0x10\n  ? __rtnl_unlock+0x47/0x80\n  ? security_file_permission+0x54/0x320\n  vfs_write+0x6ba/0x750\n  ? __pfx_vfs_write+0x10/0x10\n  ? __fget_light+0x1ca/0x1f0\n  ? __rcu_read_unlock+0x5b/0x280\n  ksys_write+0x143/0x170\n  ? __pfx_ksys_write+0x10/0x10\n  ? __kasan_check_read+0x15/0x20\n  ? fpregs_assert_state_consistent+0x62/0x70\n  __x64_sys_write+0x47/0x60\n  do_syscall_64+0x60/0x90\n  ? do_syscall_64+0x6d/0x90\n  ? irqentry_exit+0x3f/0x50\n  ? exc_page_fault+0x79/0xf0\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Allocated by task 348:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_alloc_info+0x1f/0x30\n  __kasan_kmalloc+0xb5/0xc0\n  __kmalloc_node_track_caller+0x67/0x160\n  j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Freed by task 349:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_free_info+0x2f/0x50\n  __kasan_slab_free+0x12e/0x1c0\n  __kmem_cache_free+0x1b9/0x380\n  kfree+0x7a/0x120\n  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2023-52637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\r\n\r\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\r\n\r\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\r\n\r\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\r\n\r\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\r\n\r\n[mkl: remove unrelated newline change](CVE-2023-52638)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: vsie: fix race during shadow creation\r\n\r\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash.  This is due to the\nfact that we add gmap->private == kvm after creation:\r\n\r\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n                               struct vsie_page *vsie_page)\n{\n[...]\n        gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n        if (IS_ERR(gmap))\n                return PTR_ERR(gmap);\n        gmap->private = vcpu->kvm;\r\n\r\nLet children inherit the private field of the parent.(CVE-2023-52639)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\r\n\r\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\r\n\r\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---(CVE-2023-52644)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nA race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\r\n\r\n\r\n\r\n\n(CVE-2024-24858)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: make sure init the accept_queue's spinlocks once\r\n\r\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS:  00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n<IRQ>\n  _raw_spin_unlock (kernel/locking/spinlock.c:186)\n  inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n  inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n  tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n  tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n  __netif_receive_skb_one_core (net/core/dev.c:5529)\n  process_backlog (./include/linux/rcupdate.h:779)\n  __napi_poll (net/core/dev.c:6533)\n  net_rx_action (net/core/dev.c:6604)\n  __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n  do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n  __local_bh_enable_ip (kernel/softirq.c:381)\n  __dev_queue_xmit (net/core/dev.c:4374)\n  ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n  __ip_queue_xmit (net/ipv4/ip_output.c:535)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n  tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n  tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n  __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n  release_sock (net/core/sock.c:3536)\n  inet_wait_for_connect (net/ipv4/af_inet.c:609)\n  __inet_stream_connect (net/ipv4/af_inet.c:702)\n  inet_stream_connect (net/ipv4/af_inet.c:748)\n  __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n  __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n  do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n  RIP: 0033:0x7fa10ff05a3d\n  Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n  c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n  RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n  RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n  RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n  RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n  R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n</TASK>\r\n\r\nThe issue triggering process is analyzed as follows:\nThread A                                       Thread B\ntcp_v4_rcv\t//receive ack TCP packet       inet_shutdown\n  tcp_check_req                                  tcp_disconnect //disconnect sock\n  ...                                              tcp_set_state(sk, TCP_CLOSE)\n    inet_csk_complete_hashdance                ...\n      inet_csk_reqsk_queue_add         \n---truncated---(CVE-2024-26614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow anonymous set with timeout flag\r\n\r\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Ensure visibility when inserting an element into tracing_map\r\n\r\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\r\n\r\n $ while true; do\n     echo hist:key=id.syscall:val=hitcount > \\\n       /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n     cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n     sleep 0.001\n   done\n $ stress-ng --sysbadaddr $(nproc)\r\n\r\nThe warning looks as follows:\r\n\r\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220]  hist_show+0x124/0x800\n[ 2911.195692]  seq_read_iter+0x1d4/0x4e8\n[ 2911.196193]  seq_read+0xe8/0x138\n[ 2911.196638]  vfs_read+0xc8/0x300\n[ 2911.197078]  ksys_read+0x70/0x108\n[ 2911.197534]  __arm64_sys_read+0x24/0x38\n[ 2911.198046]  invoke_syscall+0x78/0x108\n[ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157]  do_el0_svc+0x28/0x40\n[ 2911.199613]  el0_svc+0x40/0x178\n[ 2911.200048]  el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621]  el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\r\n\r\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\r\n\r\nThe check for the presence of an element with a given key in this\nfunction is:\r\n\r\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\r\n\r\nThe write of a new entry is:\r\n\r\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\r\n\r\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---(CVE-2024-26645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_limit: reject configurations that cause integer overflow\r\n\r\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\r\n\r\nIts better to reject this rather than having incorrect ratelimit.(CVE-2024-26668)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n  __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n  __alloc_pages_node include/linux/gfp.h:238 [inline]\n  alloc_pages_node include/linux/gfp.h:261 [inline]\n  __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n  __do_kmalloc_node mm/slub.c:3969 [inline]\n  __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n  kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n  __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n  __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n  netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n  dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n  ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n  ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n  tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n  tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n  receive_buf drivers/tty/tty_buffer.c:444 [inline]\n  flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: read sk->sk_family once in inet_recv_error()\r\n\r\ninet_recv_error() is called without holding the socket lock.\r\n\r\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.(CVE-2024-26679)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential bug in end_buffer_async_write\r\n\r\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\r\n\r\nNilfs2 itself does not use end_buffer_async_write().  But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\r\n\r\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent.  However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device.  This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\r\n\r\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\r\n\r\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.(CVE-2024-26685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup.  If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix data corruption in dsync block recovery for small block sizes\r\n\r\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache.  In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\r\n\r\nFix these issues by correcting this byte offset calculation on the page.(CVE-2024-26697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\r\n\r\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64().  On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\r\n\r\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\r\n\r\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\r\n\r\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)(CVE-2024-26720)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't drop extent_map for free space inode on write error\r\n\r\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\r\n\r\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n <TASK>\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again.  However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping.  Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\r\n\r\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping.  This is\nnormal for normal files, but the free space cache inode is special.  We\nalways expect the extent map to be correct.  Thus the second time\nthrough we end up with a bogus extent map.\r\n\r\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\r\n\r\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce.  With this patch in place we no longer panic\nwith my error injection test.(CVE-2024-26726)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narp: Prevent overflow in arp_req_get().\r\n\r\nsyzkaller reported an overflown write in arp_req_get(). [0]\r\n\r\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\r\n\r\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\r\n\r\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags.  We initialise the field just after the memcpy(), so it's\nnot a problem.\r\n\r\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\r\n\r\nTo avoid the overflow, let's limit the max length of memcpy().\r\n\r\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\r\n\r\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>(CVE-2024-26733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix possible use-after-free and null-ptr-deref\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.(CVE-2024-26735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: don't override retval if we already lost the skb\r\n\r\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\r\n\r\nMove the retval override to the error path which actually need it.(CVE-2024-26739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: use the backlog for mirred ingress\r\n\r\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\r\n\r\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\r\n\r\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.(CVE-2024-26740)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/qedr: Fix qedr_create_user_qp error flow\r\n\r\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\r\n\r\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--(CVE-2024-26743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Support specifying the srpt_service_guid parameter\r\n\r\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76(CVE-2024-26744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nl2tp: pass correct message length to ip6_append_data\r\n\r\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\r\n\r\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\r\n\r\nHowever, the code which performed the calculation was incorrect:\r\n\r\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\r\n\r\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\r\n\r\nAdd parentheses to correct the calculation in line with the original\nintent.(CVE-2024-26752)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\r\n\r\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n      df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n      3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS:  00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0(CVE-2024-26754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm-crypt: don't modify the data when using authenticated encryption\r\n\r\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\r\n\r\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\r\n\r\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/(CVE-2024-26763)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: dev-replace: properly validate device names\r\n\r\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\r\n\r\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\r\n\r\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).(CVE-2024-26791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\r\n\r\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS:  00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985]  ? __die_body.cold+0x1a/0x1f\n[ 1010.715995]  ? die_addr+0x43/0x70\n[ 1010.716002]  ? exc_general_protection+0x199/0x2f0\n[ 1010.716016]  ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026]  ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034]  ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042]  __rtnl_newlink+0x1063/0x1700\n[ 1010.716051]  ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063]  ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070]  ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076]  ? __kernel_text_address+0x56/0xa0\n[ 1010.716084]  ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091]  ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098]  ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106]  ? stack_trace_save+0x91/0xd0\n[ 1010.716113]  ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121]  ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139]  ? mark_held_locks+0x9e/0xe0\n[ 1010.716148]  ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155]  ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160]  rtnl_newlink+0x69/0xa0\n[ 1010.716166]  rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172]  ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179]  ? lock_acquire+0x1fe/0x560\n[ 1010.716188]  ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196]  netlink_rcv_skb+0x14d/0x440\n[ 1010.716202]  ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208]  ? netlink_ack+0xab0/0xab0\n[ 1010.716213]  ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220]  ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226]  ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233]  netlink_unicast+0x54b/0x800\n[ 1010.716240]  ? netlink_attachskb+0x870/0x870\n[ 1010.716248]  ? __check_object_size+0x2de/0x3b0\n[ 1010.716254]  netlink_sendmsg+0x938/0xe40\n[ 1010.716261]  ? netlink_unicast+0x800/0x800\n[ 1010.716269]  ? __import_iovec+0x292/0x510\n[ 1010.716276]  ? netlink_unicast+0x800/0x800\n[ 1010.716284]  __sock_sendmsg+0x159/0x190\n[ 1010.716290]  ____sys_sendmsg+0x712/0x880\n[ 1010.716297]  ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304]  ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309]  ? lock_acquire+0x1fe/0x560\n[ 1010.716315]  ? drain_array_locked+0x90/0x90\n[ 1010.716324]  ___sys_sendmsg+0xf8/0x170\n[ 1010.716331]  ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337]  ? lockdep_init_map\n---truncated---(CVE-2024-26793)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Avoid potential use-after-free in hci_error_reset\r\n\r\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\r\n\r\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\r\n\r\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.(CVE-2024-26801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ip_tunnel: prevent perpetual headroom growth\r\n\r\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\r\n\r\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n  __skb_pull(skb, skb_network_offset(skb));\r\n\r\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned.  IOW, we skb->data gets \"adjusted\" by a huge value.\r\n\r\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\r\n\r\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\r\n\r\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel.  The ipip encapsulation finds gre0 as next output device.\r\n\r\nThis results in the following pattern:\r\n\r\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\r\n\r\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\r\n\r\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\r\n\r\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\r\n\r\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\r\n\r\nThis repeats for every future packet:\r\n\r\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\r\n\r\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\r\n\r\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\r\n\r\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\r\n\r\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\r\n\r\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.(CVE-2024-26804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\r\n\r\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\r\n\r\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---(CVE-2024-26805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Create persistent INTx handler\r\n\r\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\r\n\r\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\r\n\r\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.(CVE-2024-26812)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/platform: Create persistent IRQ handlers\r\n\r\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\r\n\r\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\r\n\r\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\r\n\r\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.(CVE-2024-26813)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: fix underflow in parse_server_interfaces()\r\n\r\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.(CVE-2024-26828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme-fc: do not wait in vain when unloading module\r\n\r\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\r\n\r\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\r\n\r\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\r\n\r\nWhile at it, remove the unused nvme_fc_wq workqueue too.(CVE-2024-26846)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\r\n\r\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\r\n\r\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\r\n\r\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\r\n\r\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x167/0x540 mm/kasan/report.c:488\n  kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n  inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n  ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n  ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n  inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n </TASK>\r\n\r\nAllocated by task 23037:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3981 [inline]\n  __kmalloc+0x22e/0x490 mm/slub.c:3994\n  kmalloc include/linux/slab.h:594 [inline]\n  kzalloc include/linux/slab.h:711 [inline]\n  fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n  ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n  ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n  inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\r\n\r\nFreed by task 16:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n  poison_slab_object+0xa6/0xe0 m\n---truncated---(CVE-2024-26852)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngeneve: make sure to pull inner header in geneve_rx()\r\n\r\nsyzbot triggered a bug in geneve_rx() [1]\r\n\r\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\r\n\r\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\r\n\r\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\n BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n  geneve_rx drivers/net/geneve.c:279 [inline]\n  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\n  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\n  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\n  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\n  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n  dst_input include/net/dst.h:461 [inline]\n  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n  process_backlog+0x480/0x8b0 net/core/dev.c:5976\n  __napi_poll+0xe3/0x980 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\n  do_softirq+0x9a/0xf0 kernel/softirq.c:454\n  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\n  local_bh_enable include/linux/bottom_half.h:33 [inline]\n  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\n  dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  __sys_sendto+0x735/0xa10 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3819 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x352/0x790 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1296 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  __sys_sendto+0x735/0xa10 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26857)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/bnx2x: Prevent access to a freed page in page_pool\r\n\r\nFix race condition leading to system crash during EEH error handling\r\n\r\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\r\n\r\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\r\n\r\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\r\n\r\nTo solve this issue, we need to verify page pool allocations before\nfreeing.(CVE-2024-26859)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhsr: Fix uninit-value access in hsr_get_node()\r\n\r\nKMSAN reported the following uninit-value access issue [1]:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\r\n\r\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\r\n\r\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.(CVE-2024-26863)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Do not register event handler until srpt device is fully setup\r\n\r\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\r\n\r\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\r\n\r\nInstead, only register the event handler after srpt device initialization\nis complete.(CVE-2024-26872)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: adv7511: fix crash on irq during probe\r\n\r\nMoved IRQ registration down to end of adv7511_probe().\r\n\r\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\r\n\r\n    Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n    Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n    Call trace:\n     cec_received_msg_ts+0x48/0x990 [cec]\n     adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n     adv7511_irq_process+0xd8/0x120 [adv7511]\n     adv7511_irq_handler+0x1c/0x30 [adv7511]\n     irq_thread_fn+0x30/0xa0\n     irq_thread+0x14c/0x238\n     kthread+0x190/0x1a8(CVE-2024-26876)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm: call the resume method on internal suspend\r\n\r\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\r\n\r\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\r\n\r\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\r\n\r\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n<snip>\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS:  00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n <TASK>\n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n<snip>\n---[ end trace 0000000000000000 ]---(CVE-2024-26880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\r\n\r\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\r\n\r\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\r\n\r\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).(CVE-2024-26897)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Reset IH OVERFLOW_CLEAR bit\r\n\r\nAllows us to detect subsequent IH ring buffer overflows as well.(CVE-2024-26915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\r\n\r\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.(CVE-2024-26922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: go7007: fix a memleak in go7007_load_encoder\r\n\r\nIn go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without\na deallocation thereafter. After the following call chain:\r\n\r\nsaa7134_go7007_init\n  |-> go7007_boot_encoder\n        |-> go7007_load_encoder\n  |-> kfree(go)\r\n\r\ngo is freed and thus bounce is leaked.(CVE-2024-27074)",
+    "cves": [
+      {
+        "id": "CVE-2024-27074",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1042": {
+    "id": "openEuler-SA-2021-1042",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1042",
+    "title": "An update for dovecot is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nDovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.(CVE-2020-25275)\r\n\r\nAn issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).(CVE-2020-24386)",
+    "cves": [
+      {
+        "id": "CVE-2020-24386",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24386",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1324": {
+    "id": "openEuler-SA-2024-1324",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1324",
+    "title": "An update for bind is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers.\nThis issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-4408)\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nA flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when:\r\n\r\n  - `nxdomain-redirect <domain>;` is configured, and\n  - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response.\nThis issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5517)\r\n\r\nA bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5679)\r\n\r\nTo keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.(CVE-2023-6516)",
+    "cves": [
+      {
+        "id": "CVE-2023-6516",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6516",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1533": {
+    "id": "openEuler-SA-2023-1533",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1533",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\n\nSecurity Fix(es):\n\nExtremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.(CVE-2023-29409)",
+    "cves": [
+      {
+        "id": "CVE-2023-29409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1718": {
+    "id": "openEuler-SA-2023-1718",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1718",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.(CVE-2023-0809)",
+    "cves": [
+      {
+        "id": "CVE-2023-0809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1514": {
+    "id": "openEuler-SA-2022-1514",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1514",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0261)\r\n\r\nHeap-based Buffer Overflow in vim/vim prior to 8.2.(CVE-2022-0318)\r\n\r\nAccess of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2.(CVE-2022-0351)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0359)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0361)\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 8.2.(CVE-2022-0368)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0392)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 8.2.(CVE-2022-0413)\r\n\r\nStack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0408)\r\n\r\nUse After Free in Conda vim prior to 8.2.(CVE-2022-0443)\r\n\r\nHeap-based Buffer Overflow in Conda vim prior to 8.2.(CVE-2022-0417)\n\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2022-0213)",
+    "cves": [
+      {
+        "id": "CVE-2022-0213",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0213",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1924": {
+    "id": "openEuler-SA-2023-1924",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1924",
+    "title": "An update for hsqldb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (can be run as applets or servlets, too) and a number of demonstration examples. Downloaded code should be regarded as being of production quality. The product is currently being used as a database and persistence engine in many Open Source Software projects and even in commercial projects and products! In it's current version it is extremely stable and reliable. It is best known for its small size, ability to execute completely in memory and its speed. Yet it is a completely functional relational database management system that is completely free under the Modified BSD License. Yes, that's right, completely free of cost or restrictions!\r\n\r\nSecurity Fix(es):\r\n\r\nThose using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, System.setProperty(\"hsqldb.method_class_names\", \"abc\") or Java argument -Dhsqldb.method_class_names=\"abc\" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853)",
+    "cves": [
+      {
+        "id": "CVE-2022-41853",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1240": {
+    "id": "openEuler-SA-2023-1240",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1240",
+    "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was discovered that the avahi deamon can be locally crashed by a dbus call made by an unprivileged user, causing a denial of service.\r\n\r\nReferences:\r\n\r\nhttps://github.com/lathiat/avahi/issues/375(CVE-2023-1981)",
+    "cves": [
+      {
+        "id": "CVE-2023-1981",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1981",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2029": {
+    "id": "openEuler-SA-2022-2029",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2029",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.(CVE-2022-39253)\r\n\r\nGit is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.(CVE-2022-39260)",
+    "cves": [
+      {
+        "id": "CVE-2022-39260",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39260",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1012": {
+    "id": "openEuler-SA-2024-1012",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1012",
+    "title": "An update for python-twisted is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.(CVE-2023-46137)",
+    "cves": [
+      {
+        "id": "CVE-2023-46137",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1405": {
+    "id": "openEuler-SA-2021-1405",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1405",
+    "title": "An update for mailman is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mailman is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.\r\n\r\nSecurity Fix(es):\r\n\r\n/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.(CVE-2020-12108)\r\n\r\nGNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code.(CVE-2020-12137)\r\n\r\nGNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.(CVE-2020-15011)\n\nGNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.(CVE-2021-42096)\n\nGNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).(CVE-2021-42097)",
+    "cves": [
+      {
+        "id": "CVE-2021-42097",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42097",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1422": {
+    "id": "openEuler-SA-2023-1422",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1422",
+    "title": "An update for syslinux is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The Syslinux Project covers lightweight bootloaders for MS-DOS FAT filesystems (SYSLINUX), network booting (PXELINUX), bootable \"El Torito\" CD-ROMs (ISOLINUX), and Linux ext2/ext3/ext4 or btrfs filesystems (EXTLINUX). The project also includes MEMDISK, a tool to boot legacy operating systems (such as DOS) from nontraditional media; it is usually used in conjunction with PXELINUX and ISOLINUX.\n\nSecurity Fix(es):\n\ninffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9841)",
+    "cves": [
+      {
+        "id": "CVE-2016-9841",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1309": {
+    "id": "openEuler-SA-2023-1309",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1309",
+    "title": "An update for webkit2gtk3 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "WebKitGTK is a full-featured port of the WebKit rendering engine,suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. This package contains WebKit2 based WebKitGTK+ for GTK+ 3.\r\n\r\nSecurity Fix(es):\r\n\r\nA use after free vulnerability was found in the webkitgtk package. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2023-32373)\r\n\r\nA flaw was found in the webkitgtk package. An out of bounds read may be possible when processing malicious web content, which can lead to information disclosure.(CVE-2023-28204)\r\n\r\nA flaw was found in the WebGPU, part of the Webkit project. This flaw allows a remote attacker to break out of the Web Content sandbox.(CVE-2023-32409)",
+    "cves": [
+      {
+        "id": "CVE-2023-32409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1047": {
+    "id": "openEuler-SA-2021-1047",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1047",
+    "title": "An update for gstreamer1-plugins-bad-free is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "GStreamer is a pipeline-based multi media framework that links together a wide variety of media processing systems to complete complex workflows, based on graphs of filters which operate on media data. This package contains plug-ins that are not tested well enough yet, or the code is not of good enough quality.\n\r\nSecurity Fix(es):\n\r\nA flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.(CVE-2021-3185)",
+    "cves": [
+      {
+        "id": "CVE-2021-3185",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3185",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1733": {
+    "id": "openEuler-SA-2022-1733",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1733",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.(CVE-2021-3929)",
+    "cves": [
+      {
+        "id": "CVE-2021-3929",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3929",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1815": {
+    "id": "openEuler-SA-2024-1815",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1815",
+    "title": "An update for mozjs78 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "Security Fix(es):\r\n\r\nIn Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960)\r\n\r\nxmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235)",
+    "cves": [
+      {
+        "id": "CVE-2022-25235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1238": {
+    "id": "openEuler-SA-2023-1238",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1238",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate. Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.(CVE-2023-28842)\r\n\r\nMoby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation. Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees. It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.(CVE-2023-28841)\r\n\r\nMoby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded. The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network. Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.(CVE-2023-28840)",
+    "cves": [
+      {
+        "id": "CVE-2023-28840",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28840",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1283": {
+    "id": "openEuler-SA-2023-1283",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1283",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)",
+    "cves": [
+      {
+        "id": "CVE-2023-21930",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21930",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1536": {
+    "id": "openEuler-SA-2023-1536",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1536",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.(CVE-2023-4128)\n\nA use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.(CVE-2023-4387)",
+    "cves": [
+      {
+        "id": "CVE-2023-4387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4387",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1398": {
+    "id": "openEuler-SA-2023-1398",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1398",
+    "title": "An update for snappy-java is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A Java port of the snappy, a fast compresser/decompresser written in C++.\n\nSecurity Fix(es):\n\nsnappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error.\n\nThe function `compress(char[] input)` in the file `Snappy.java` receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress` function.\n\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\n\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a `java.lang.NegativeArraySizeException` exception will be raised while trying to allocate the array `buf`. On the other side, if the result is positive, the `buf` array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\n\nThe same issue exists also when using the `compress` functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\n\nVersion 1.1.10.1 contains a patch for this issue.(CVE-2023-34454)\n\nsnappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1.\n\nThe code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.\n\nIn the case that the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the `chunkSize` variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error.\n\nVersion 1.1.10.1 contains a patch for this issue.(CVE-2023-34455)",
+    "cves": [
+      {
+        "id": "CVE-2023-34455",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1082": {
+    "id": "openEuler-SA-2021-1082",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1082",
+    "title": "An update for spice is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The SPICE package provides the SPICE server library and client. These components are used to provide access to a remote machine's display and devices.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.(CVE-2020-14355)",
+    "cves": [
+      {
+        "id": "CVE-2020-14355",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14355",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1083": {
+    "id": "openEuler-SA-2021-1083",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1083",
+    "title": "An update for unbound is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most platforms such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows. Unbound is a totally free, open source software under the BSD license. It doesn't make custom builds or provide specific features to paying customers only.\r\n\r\nSecurity Fix(es):\r\n\r\nNLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.(CVE-2020-28935)",
+    "cves": [
+      {
+        "id": "CVE-2020-28935",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28935",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1981": {
+    "id": "openEuler-SA-2022-1981",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1981",
+    "title": "An update for bind is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nBy spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38177)\r\n\r\nBy spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38178)\r\n\r\nBy flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.(CVE-2022-2795)\r\n\r\nThe underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.(CVE-2022-2881)\r\n\r\nAn attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.(CVE-2022-2906)",
+    "cves": [
+      {
+        "id": "CVE-2022-2906",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2906",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1421": {
+    "id": "openEuler-SA-2023-1421",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1421",
+    "title": "An update for texlive-base is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The TeX Live software distribution offers a complete TeX system for a variety of Unix, Macintosh, Windows and other platforms. It encompasses programs for editing, typesetting, previewing and printing of TeX documents in many different languages, and a large collection of TeX macros and font libraries.\n\nSecurity Fix(es):\n\nLuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.(CVE-2023-32700)",
+    "cves": [
+      {
+        "id": "CVE-2023-32700",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32700",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1863": {
+    "id": "openEuler-SA-2022-1863",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1863",
+    "title": "An update for tcpdump is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces.  Tcpdump can display all of the packet headers, or just the ones that match particular criteria.\r\n\r\nSecurity Fix(es):\r\n\r\nThe command-line argument parser in tcpdump before 4.99.0 has a buffer overflow in tcpdump.c:read_infile(). To trigger this vulnerability the attacker needs to create a 4GB file on the local filesystem and to specify the file name as the value of the -F command-line argument of tcpdump.(CVE-2018-16301)",
+    "cves": [
+      {
+        "id": "CVE-2018-16301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16301",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1917": {
+    "id": "openEuler-SA-2022-1917",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1917",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.(CVE-2022-2953)\r\n\r\nThere is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1(CVE-2022-2519)\r\n\r\nIt was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.(CVE-2022-2521)",
+    "cves": [
+      {
+        "id": "CVE-2022-2521",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2521",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1727": {
+    "id": "openEuler-SA-2022-1727",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1727",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-1048)\r\n\r\nThe SUSE Linux Enterprise 15 SP3 kernel was updated to receive various    security and bugfixes.(CVE-2022-1158)\r\n\r\nKGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21499)",
+    "cves": [
+      {
+        "id": "CVE-2022-21499",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21499",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1995": {
+    "id": "openEuler-SA-2022-1995",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1995",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\t\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\n\t\tYou can refer to https://www.qemu.org for more infortmation.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.(CVE-2021-3638)",
+    "cves": [
+      {
+        "id": "CVE-2021-3638",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3638",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1994": {
+    "id": "openEuler-SA-2022-1994",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1994",
+    "title": "An update for dovecot is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Dovecot is an IMAP server for Linux/UNIX-like systemsa wrapper package that will just handle common things for all versioned dovecot packages.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.(CVE-2022-30550)",
+    "cves": [
+      {
+        "id": "CVE-2022-30550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30550",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1998": {
+    "id": "openEuler-SA-2022-1998",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1998",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.(CVE-2022-3213)",
+    "cves": [
+      {
+        "id": "CVE-2022-3213",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3213",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1631": {
+    "id": "openEuler-SA-2022-1631",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1631",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system(CVE-2022-1205)\n\nA flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.(CVE-2022-1199)\n\nA vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.(CVE-2022-1353)\n\nCertain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.(CVE-2022-23960)\n\ndrivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.(CVE-2022-29156)\n\nA flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2022-0500)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23036)\n\nIn several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel(CVE-2021-39686)\n\nNon-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-0001)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23038)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23037)",
+    "cves": [
+      {
+        "id": "CVE-2022-23037",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23037",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1687": {
+    "id": "openEuler-SA-2024-1687",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1687",
+    "title": "An update for openjdk-17 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and  22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2024-20932)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21012)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21068)",
+    "cves": [
+      {
+        "id": "CVE-2024-21068",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21068",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1248": {
+    "id": "openEuler-SA-2024-1248",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1248",
+    "title": "An update for atril is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
+    "cves": [
+      {
+        "id": "CVE-2023-52076",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1633": {
+    "id": "openEuler-SA-2022-1633",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1633",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line.(CVE-2022-1328)",
+    "cves": [
+      {
+        "id": "CVE-2022-1328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1079": {
+    "id": "openEuler-SA-2024-1079",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1079",
+    "title": "An update for apache-sshd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\r\n\r\nSecurity Fix(es):\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA.\r\n\r\nIn SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover \"exists/does not exist\" information about items outside the rooted tree via paths including parent navigation (\"..\") beyond the root, or involving symlinks.\r\n\r\nThis issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10\n(CVE-2023-35887)",
+    "cves": [
+      {
+        "id": "CVE-2023-35887",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1804": {
+    "id": "openEuler-SA-2022-1804",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1804",
+    "title": "An update for targetcli is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Targetcli is an administration tool for managing storage targets using the kernel LIO core target and compatible target fabric modules.\r\n\r\nSecurity Fix(es):\r\n\r\nOpen-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files).(CVE-2020-13867)",
+    "cves": [
+      {
+        "id": "CVE-2020-13867",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13867",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1539": {
+    "id": "openEuler-SA-2022-1539",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1539",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2022-0492)\r\n\r\nAn issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.(CVE-2022-24448)\r\n\r\nA stack overflow flaw was found in the Linux kernel’s TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.(CVE-2022-0435)\r\n\r\nAn issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.(CVE-2022-24959)\r\n\r\ndrivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.(CVE-2022-24958)",
+    "cves": [
+      {
+        "id": "CVE-2022-24958",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24958",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1431": {
+    "id": "openEuler-SA-2024-1431",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1431",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666)",
+    "cves": [
+      {
+        "id": "CVE-2023-0666",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2094": {
+    "id": "openEuler-SA-2022-2094",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2094",
+    "title": "An update for zsh is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of the useful features of bash, ksh, and tcsh were incorporated into zsh. It can match files by file extension without running an external program, share command history with any shell, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.(CVE-2021-45444)",
+    "cves": [
+      {
+        "id": "CVE-2021-45444",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45444",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1955": {
+    "id": "openEuler-SA-2022-1955",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1955",
+    "title": "An update for exiv2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.(CVE-2019-13108)\r\n\r\nThere is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.(CVE-2019-13504)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-37616)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-37615)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. ### Patches The bug is fixed in version v0.27.5. ### References Regression test and bug fix: #1739 ### For more information Please see our [security policy](https://github.com/Exiv2/exiv2/security/policy) for information about Exiv2 security.(CVE-2021-32815)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.(CVE-2021-37623)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.(CVE-2021-37622)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.(CVE-2021-34334)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.(CVE-2021-37620)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.(CVE-2021-37621)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception (FPE) due to an integer divide by zero was found in Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-34335)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.(CVE-2021-37618)\r\n\r\nA flaw was found in exiv2. A integer wraparound in the CrwMap:encode0x1810 function leads to memcpy call with a very large size allowing an attacker, who can provide a malicious image, to crash an application which uses the exiv2 library. The highest threat from this vulnerability is to service availability.(CVE-2021-31292)",
+    "cves": [
+      {
+        "id": "CVE-2021-31292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31292",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1850": {
+    "id": "openEuler-SA-2024-1850",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1850",
+    "title": "An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files  https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\r\n\r\n\r\n\r\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\r\n\r\nBuffer overflow in \"rcar_dev_init\"  due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
+    "cves": [
+      {
+        "id": "CVE-2024-6564",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1482": {
+    "id": "openEuler-SA-2024-1482",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1482",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: intel-sdw-acpi: harden detection of controller\r\n\r\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\r\n\r\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.(CVE-2021-46926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio_hv_generic: Fix another memory leak in error handling paths\r\n\r\nMemory allocated by 'vmbus_alloc_ring()' at the beginning of the probe\nfunction is never freed in the error handling path.\r\n\r\nAdd the missing 'vmbus_free_ring()' call.\r\n\r\nNote that it is already freed in the .remove function.(CVE-2021-47070)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nasix: fix uninit-value in asix_mdio_read()\r\n\r\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\r\n\r\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497(CVE-2021-47101)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nEDAC/thunderx: Fix possible out-of-bounds string access\r\n\r\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\r\n\r\n  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);\n        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n   ...\n   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\n   ...\n   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\r\n\r\n   ...\r\n\r\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\r\n\r\nChange it to strlcat().\r\n\r\n  [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: powermate - fix use-after-free in powermate_config_complete\r\n\r\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\r\n\r\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\r\n\r\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.(CVE-2023-52500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: assert requested protocol is valid\r\n\r\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\r\n\r\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\r\n\r\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Do not call scsi_done() from srp_abort()\r\n\r\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.(CVE-2023-52515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix possible store tearing in neigh_periodic_work()\r\n\r\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\r\n\r\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\r\n\r\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().(CVE-2023-52522)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet\r\n\r\nOnly skip the code path trying to access the rfc1042 headers when the\nbuffer is too small, so the driver can still process packets without\nrfc1042 headers.(CVE-2023-52525)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: fix potential key use-after-free\r\n\r\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().(CVE-2023-52530)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\r\n\r\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\r\n\r\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed.  And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\r\n\r\nSo use damon_destroy_target to free all the damon_regions and damon_target.\r\n\r\n    unreferenced object 0xffff888107c9a940 (size 64):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff  `...............\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079cc740 (size 56):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff888107c9ac40 (size 64):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff  ........x.v.....\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079ccc80 (size 56):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffff\n---truncated---(CVE-2023-52560)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\r\n\r\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\r\n\r\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.(CVE-2023-52561)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\r\n\r\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\r\n\r\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\r\n\r\n[konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\r\n\r\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\r\n\r\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\r\n\r\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\r\n\r\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\r\n\r\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30(CVE-2023-52568)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rds: Fix possible NULL-pointer dereference\r\n\r\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52573)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndccp: fix dccp_v4_err()/dccp_v6_err() again\r\n\r\ndh->dccph_x is the 9th byte (offset 8) in \"struct dccp_hdr\",\nnot in the \"byte 7\" as Jann claimed.\r\n\r\nWe need to make sure the ICMP messages are big enough,\nusing more standard ways (no more assumptions).\r\n\r\nsyzbot reported:\nBUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\nBUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]\nBUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\npskb_may_pull_reason include/linux/skbuff.h:2667 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\ndccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94\nicmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867\nicmpv6_rcv+0x19d5/0x30d0\nip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\nip6_input_finish net/ipv6/ip6_input.c:483 [inline]\nNF_HOOK include/linux/netfilter.h:304 [inline]\nip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\nip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\ndst_input include/net/dst.h:468 [inline]\nip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\nNF_HOOK include/linux/netfilter.h:304 [inline]\nipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n__netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\nnetif_receive_skb_internal net/core/dev.c:5723 [inline]\nnetif_receive_skb+0x58/0x660 net/core/dev.c:5782\ntun_rx_batched+0x83b/0x920\ntun_get_user+0x564c/0x6940 drivers/net/tun.c:2002\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\nslab_alloc_node mm/slub.c:3478 [inline]\nkmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\nkmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n__alloc_skb+0x318/0x740 net/core/skbuff.c:650\nalloc_skb include/linux/skbuff.h:1286 [inline]\nalloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313\nsock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795\ntun_alloc_skb drivers/net/tun.c:1531 [inline]\ntun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846\ntun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\ncall_write_iter include/linux/fs.h:1985 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x8ef/0x15c0 fs/read_write.c:584\nksys_write+0x20f/0x4c0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x93/0xd0 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nCPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023(CVE-2023-52577)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: use DEV_STATS_INC()\r\n\r\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\r\n\r\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\r\n\r\nHandles updates to dev->stats.tx_dropped while we are at it.\r\n\r\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: fix deadlock or deadcode of misusing dget()\r\n\r\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\r\n\r\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.(CVE-2023-52583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/ipoib: Fix mcast list locking\r\n\r\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\r\n\r\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)\n          &priv->multicast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(&priv->lock) |\n                                       |   spin_lock_irqsave(&priv->lock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  &priv->multicast_list, list)\n                                       |     list_del(&mcast->list);\n                                       |     list_add_tail(&mcast->list, &remove_list)\n                                       |   spin_unlock_irqrestore(&priv->lock, flags)\n          spin_lock_irq(&priv->lock)   |\n                                       |   ipoib_mcast_remove_list(&remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv->multicast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it's stack.)\r\n\r\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\r\n\r\ncrash> bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (&priv->mcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           &mcast->list\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (&priv->lock)     &priv->multicast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- <NMI exception stack> ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\r\n\r\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\r\n\r\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\r\n\r\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\r\n\r\ncrash> b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---(CVE-2023-52587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\r\n\r\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\r\n\r\nFound by a modified version of syzkaller.\r\n\r\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt(CVE-2023-52594)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rt2x00: restart beacon queue when hardware reset\r\n\r\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().(CVE-2023-52595)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: fix setting of fpc register\r\n\r\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\r\n\r\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\r\n\r\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\r\n\r\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.(CVE-2023-52597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ptrace: handle setting of fpc register correctly\r\n\r\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\r\n\r\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\r\n\r\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().(CVE-2023-52598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid online resizing failures due to oversized flex bg\r\n\r\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\r\n\r\n     mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n     mount $dev $dir\n     resize2fs $dev 16G\r\n\r\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n <TASK>\n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\r\n\r\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\r\n\r\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\r\n\r\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.(CVE-2023-52622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: regenerate buddy after block freeing failed if under fc replay\r\n\r\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.(CVE-2024-26601)",
+    "cves": [
+      {
+        "id": "CVE-2024-26601",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1721": {
+    "id": "openEuler-SA-2024-1721",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1721",
+    "title": "An update for openssl is now available for openEuler-24.03-LTS",
+    "severity": "Critical",
+    "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in OpenSSL. Calling the OpenSSL API SSL_free_buffers function may cause memory to be accessed that was previously freed in some situations.(CVE-2024-4741)",
+    "cves": [
+      {
+        "id": "CVE-2024-4741",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4741",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1245": {
+    "id": "openEuler-SA-2024-1245",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1245",
+    "title": "An update for atril is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
+    "cves": [
+      {
+        "id": "CVE-2023-52076",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1378": {
+    "id": "openEuler-SA-2023-1378",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1378",
+    "title": "An update for libX11 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Core X11 protocol client library.\n\nSecurity Fix(es):\n\nA vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.(CVE-2023-3138)",
+    "cves": [
+      {
+        "id": "CVE-2023-3138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1976": {
+    "id": "openEuler-SA-2022-1976",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1976",
+    "title": "An update for mujs is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "MuJS is a lightweight Javascript interpreter designed for embedding in other software to extend them with scripting capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp.(CVE-2022-30975)\r\n\r\ncompile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.(CVE-2022-30974)\r\n\r\nA use-after-free vulnerability was observed in Rp_toString function of Artifex Software, Inc. MuJS before 5c337af4b3df80cf967e4f9f6a21522de84b392a. A successful exploitation of this issue can lead to code execution or denial of service condition.(CVE-2016-7504)\r\n\r\nInteger overflow in the js_regcomp function in regexp.c in Artifex Software, Inc. MuJS before commit b6de34ac6d8bb7dd5461c57940acfbd3ee7fd93e allows attackers to cause a denial of service (application crash) via a crafted regular expression.(CVE-2016-9108)\r\n\r\nAn issue was discovered in Artifex Software, Inc. MuJS before 4006739a28367c708dea19aeb19b8a1a9326ce08. The jsR_setproperty function in jsrun.c lacks a check for a negative array length. This leads to an integer overflow in the js_pushstring function in jsrun.c when parsing a specially crafted JS file.(CVE-2017-5627)\r\n\r\nAn out-of-bounds read vulnerability was observed in Sp_replace_regexp function of Artifex Software, Inc. MuJS before 5000749f5afe3b956fc916e407309de840997f4a. A successful exploitation of this issue can lead to code execution or denial of service condition.(CVE-2016-7506)\r\n\r\nArtifex Software, Inc. MuJS before a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 allows context-dependent attackers to obtain sensitive information by using the \"opname in crafted JavaScript file\" approach, related to an \"Out-of-Bounds read\" issue affecting the jsC_dumpfunction function in the jsdump.c component.(CVE-2016-9017)\r\n\r\nAn issue was discovered in Artifex Software, Inc. MuJS before 8f62ea10a0af68e56d5c00720523ebcba13c2e6a. The MakeDay function in jsdate.c does not validate the month, leading to an integer overflow when parsing a specially crafted JS file.(CVE-2017-5628)\r\n\r\nAn integer overflow vulnerability was observed in the regemit function in regexp.c in Artifex Software, Inc. MuJS before fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular expression with nested repetition. A successful exploitation of this issue can lead to code execution or a denial of service (buffer overflow) condition.(CVE-2016-10141)\r\n\r\nArtifex Software, Inc. MuJS before a0ceaf5050faf419401fe1b83acfa950ec8a8a89 allows context-dependent attackers to obtain sensitive information by using the \"crafted JavaScript\" approach, related to a \"Buffer Over-read\" issue.(CVE-2016-9136)",
+    "cves": [
+      {
+        "id": "CVE-2016-9136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9136",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1729": {
+    "id": "openEuler-SA-2022-1729",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1729",
+    "title": "An update for rubygem-rack is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers,  web frameworks, and software in between (the so-called middleware) into  a single method call.\r\n\r\nSecurity Fix(es):\r\n\r\nDenial of Service Vulnerability in Rack Multipart Parsing(CVE-2022-30122)\r\n\r\nPossible shell escape sequence injection vulnerability in Rack(CVE-2022-30123)\r\n\r\nA reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.(CVE-2020-8184)",
+    "cves": [
+      {
+        "id": "CVE-2020-8184",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8184",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-2002": {
+    "id": "openEuler-SA-2023-2002",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-2002",
+    "title": "An update for tar is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service.(CVE-2023-39804)",
+    "cves": [
+      {
+        "id": "CVE-2023-39804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1996": {
+    "id": "openEuler-SA-2022-1996",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1996",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\t\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\n\t\tYou can refer to https://www.qemu.org for more infortmation.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.(CVE-2021-3638)",
+    "cves": [
+      {
+        "id": "CVE-2021-3638",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3638",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1782": {
+    "id": "openEuler-SA-2023-1782",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1782",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().(CVE-2022-44033)\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.(CVE-2022-45919)\r\n\r\nVUL-0: CVE-2023-2593: kernel: Linux Kernel ksmbd Memory Exhaustion Denial-of-Service Vulnerability(CVE-2023-2593)\r\n\r\nThere is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.(CVE-2023-2898)\r\n\r\nAn issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.(CVE-2023-31083)\r\n\r\nAn issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.(CVE-2023-31085)\r\n\r\nVUL-0: CVE-2023-32246: kernel: Linux Kernel ksmbd RCU Callback Race Condition Local Privilege Escalation Vulnerability(CVE-2023-32246)\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.(CVE-2023-32254)\r\n\r\nClosing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable.\nA (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device.(CVE-2023-34324)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39189)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.(CVE-2023-39192)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39193)\r\n\r\nA flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.(CVE-2023-42754)\r\n\r\nAn issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.(CVE-2023-45862)\r\n\r\nAn issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.(CVE-2023-45863)\r\n\r\nAn issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.(CVE-2023-45871)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\r\n\r\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\r\n\r\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\r\n\r\n(CVE-2023-5717)",
+    "cves": [
+      {
+        "id": "CVE-2023-5717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1699": {
+    "id": "openEuler-SA-2023-1699",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1699",
+    "title": "An update for python-gevent is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "gevent is a coroutine -based Python networking library that uses greenlet to provide a high-level synchronous API on top of the libev or libuv event loop.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.(CVE-2023-41419)",
+    "cves": [
+      {
+        "id": "CVE-2023-41419",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41419",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1748": {
+    "id": "openEuler-SA-2023-1748",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1748",
+    "title": "An update for xerces-j2 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2018-2799)",
+    "cves": [
+      {
+        "id": "CVE-2018-2799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2025": {
+    "id": "openEuler-SA-2022-2025",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2025",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ndrivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.(CVE-2022-41849)\r\n\r\nIn rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239842288References: Upstream kernel(CVE-2022-20423)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.(CVE-2022-3524)\r\n\r\nA vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.(CVE-2022-3545)\r\n\r\nA vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.(CVE-2022-3565)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.(CVE-2022-3594)\n\nA vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.(CVE-2022-3564)\n\nA vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.(CVE-2022-3566)\n\nA vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability.(CVE-2022-3542)\n\nA vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability.(CVE-2022-3535)\n\nA vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.(CVE-2022-3521)",
+    "cves": [
+      {
+        "id": "CVE-2022-3521",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3521",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1859": {
+    "id": "openEuler-SA-2022-1859",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1859",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.(CVE-2022-30065)",
+    "cves": [
+      {
+        "id": "CVE-2022-30065",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30065",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1035": {
+    "id": "openEuler-SA-2024-1035",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1035",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nopeneuler-linux-kernel-5.10.149-ext4_write_inline_data-kernel_bug-365020(CVE-2021-33631)\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nA race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.(CVE-2023-6546)\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\r\n\r\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.\r\n\r\n(CVE-2023-6817)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\r\n\r\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\r\n\r\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\r\n\r\n(CVE-2023-6931)",
+    "cves": [
+      {
+        "id": "CVE-2023-6931",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6931",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1668": {
+    "id": "openEuler-SA-2023-1668",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1668",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.(CVE-2022-45887)\r\n\r\n\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n(CVE-2023-20588)\r\n\r\nIn multiple functions  of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21400)\r\n\r\nVUL-0: CVE-2023-32249: kernel: Linux Kernel ksmbd Multichannel Improper Authentication Session Hijack Vulnerability(CVE-2023-32249)\r\n\r\nVUL-0: CVE-2023-32251: kernel: Linux Kernel ksmbd Improper Restriction of Excessive Authentication Attempts Protection Bypass Vulnerability(CVE-2023-32251)\r\n\r\nVUL-0: CVE-2023-32253: kernel: Linux Kernel ksmbd Session Deadlock Denial-of-Service Vulnerability(CVE-2023-32253)\r\n\r\n** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team.(CVE-2023-4881)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\r\n\r\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\r\n\r\n(CVE-2023-4921)",
+    "cves": [
+      {
+        "id": "CVE-2023-32251",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32251",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-4921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1752": {
+    "id": "openEuler-SA-2022-1752",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1752",
+    "title": "An update for rubygem-yajl-ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Ruby C bindings to the excellent Yajl JSON stream-based parser library.\r\n\r\nSecurity Fix(es):\r\n\r\nyajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.(CVE-2022-24795)",
+    "cves": [
+      {
+        "id": "CVE-2022-24795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1867": {
+    "id": "openEuler-SA-2022-1867",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1867",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.(CVE-2021-20304)",
+    "cves": [
+      {
+        "id": "CVE-2021-20304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20304",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1015": {
+    "id": "openEuler-SA-2021-1015",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1015",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.(CVE-2020-26258)\\r\\n\\r\\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.(CVE-2020-26259)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-26259",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26259",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1538": {
+    "id": "openEuler-SA-2022-1538",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1538",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system.\r\n\r\nSecurity Fix(es):\r\n\r\nsystemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.(CVE-2020-13776)",
+    "cves": [
+      {
+        "id": "CVE-2020-13776",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13776",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1204": {
+    "id": "openEuler-SA-2021-1204",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1204",
+    "title": "An update for exiv2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nExiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4.(CVE-2021-29623)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An inefficient algorithm (quadratic complexity) was found in Exiv2 versions v0.27.3 and earlier. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `rm`.(CVE-2021-32617)",
+    "cves": [
+      {
+        "id": "CVE-2021-32617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32617",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1709": {
+    "id": "openEuler-SA-2022-1709",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1709",
+    "title": "An update for libinput is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "libinput is a library to handle input devices in Wayland compositors and to provide a generic X.Org input driver.It provides device detection, device handling, input device event processing and abstraction so minimize the amount of custom input code compositors need to provide the common set of functionality that users expect.\n\r\n\r\nSecurity Fix(es):\r\n\r\nA format string vulnerability was found in libinput(CVE-2022-1215)",
+    "cves": [
+      {
+        "id": "CVE-2022-1215",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1215",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1064": {
+    "id": "openEuler-SA-2024-1064",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1064",
+    "title": "An update for yasm is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\r\n\r\nSecurity Fix(es):\r\n\r\nyasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975)",
+    "cves": [
+      {
+        "id": "CVE-2023-31975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1154": {
+    "id": "openEuler-SA-2024-1154",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1154",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1205": {
+    "id": "openEuler-SA-2021-1205",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1205",
+    "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.(CVE-2020-25709)",
+    "cves": [
+      {
+        "id": "CVE-2020-25709",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25709",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1415": {
+    "id": "openEuler-SA-2021-1415",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1415",
+    "title": "An update for storm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Apache Storm realtime computation system\r\n\r\nSecurity Fix(es):\r\n\r\nAn Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4.(CVE-2021-40865)\nA Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.(CVE-2021-38294)",
+    "cves": [
+      {
+        "id": "CVE-2021-38294",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38294",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1864": {
+    "id": "openEuler-SA-2022-1864",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1864",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nNon-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-26373)\n\nA use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local, privileged attacker to crash the system, possibly leading to a local privilege escalation issue.(CVE-2022-2588)",
+    "cves": [
+      {
+        "id": "CVE-2022-2588",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2588",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1135": {
+    "id": "openEuler-SA-2023-1135",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1135",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \r\n\r\nSecurity Fix(es):\r\n\r\nThe public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215)\r\n\r\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286)\r\n\r\nA NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.(CVE-2023-0401)\r\n\r\nThe function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450)",
+    "cves": [
+      {
+        "id": "CVE-2022-4450",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1359": {
+    "id": "openEuler-SA-2021-1359",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1359",
+    "title": "An update for cockpit is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse. It’s easy to start containers, administer storage, configure networks, and inspect logs with this package.\r\n\r\nSecurity Fix(es):\r\n\r\nCockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.(CVE-2021-3660)",
+    "cves": [
+      {
+        "id": "CVE-2021-3660",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3660",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1670": {
+    "id": "openEuler-SA-2024-1670",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1670",
+    "title": "An update for tracker3-miners is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Tracker is an efficient search engine and for desktop, embedded and mobile.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.(CVE-2023-5557)",
+    "cves": [
+      {
+        "id": "CVE-2023-5557",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5557",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1178": {
+    "id": "openEuler-SA-2024-1178",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1178",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nTransmit requests in Xen's virtual network protocol can consist of\nmultiple parts.  While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all.  Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments.  Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n(CVE-2023-46838)\r\n\r\nA flaw in the routing table size was found in the ICMPv6 handling of \"Packet Too Big\". The size of the routing table is regulated by periodic garbage collection. However, with \"Packet Too Big Messages\" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-52340)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\r\n\r\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\r\n\r\n(CVE-2024-1086)",
+    "cves": [
+      {
+        "id": "CVE-2024-1086",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1200": {
+    "id": "openEuler-SA-2023-1200",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1200",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e(CVE-2023-0266)",
+    "cves": [
+      {
+        "id": "CVE-2023-0266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1231": {
+    "id": "openEuler-SA-2024-1231",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1231",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.(CVE-2023-45662)\r\n\r\nstb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.(CVE-2023-45663)",
+    "cves": [
+      {
+        "id": "CVE-2023-45663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45663",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1525": {
+    "id": "openEuler-SA-2023-1525",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1525",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. QEMU has two operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including one or several processors and various peripherals. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\n\nSecurity Fix(es):\n\nA flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.(CVE-2023-3180)\n\nThe async nature of the hot-unplug enables an easy to reproduce race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged (or the ACPI unplug has been acked by the guest?). The guest can use this time window to, at least, trigger an assertion.(CVE-2023-3301)",
+    "cves": [
+      {
+        "id": "CVE-2023-3301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3301",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1303": {
+    "id": "openEuler-SA-2024-1303",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1303",
+    "title": "An update for perl-Net-CIDR-Lite is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.(CVE-2021-47154)",
+    "cves": [
+      {
+        "id": "CVE-2021-47154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47154",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1012": {
+    "id": "openEuler-SA-2021-1012",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1012",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.  QEMU has two operating modes:     Full system emulation. In this mode, QEMU emulates a full system (for example a PC),    including one or several processors and various peripherals. It can be used to launch    different Operating Systems without rebooting the PC or to debug system code.     User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.    It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease    cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nA flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.(CVE-2020-27821)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-27821",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27821",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1241": {
+    "id": "openEuler-SA-2021-1241",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1241",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35504)\r\n\r\nA flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.(CVE-2021-3527)\r\n\r\nAn out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-20221)\r\n\r\nA NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35505)\r\n\r\nThe ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.(CVE-2019-12067)",
+    "cves": [
+      {
+        "id": "CVE-2019-12067",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12067",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2060": {
+    "id": "openEuler-SA-2022-2060",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2060",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications. This package contains base tools, like string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).(CVE-2021-38593)",
+    "cves": [
+      {
+        "id": "CVE-2021-38593",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38593",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1201": {
+    "id": "openEuler-SA-2023-1201",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1201",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e(CVE-2023-0266)",
+    "cves": [
+      {
+        "id": "CVE-2023-0266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1291": {
+    "id": "openEuler-SA-2021-1291",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1291",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nNode.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().(CVE-2021-22918)",
+    "cves": [
+      {
+        "id": "CVE-2021-22918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2154": {
+    "id": "openEuler-SA-2022-2154",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2154",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21626)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21624)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21619)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21628)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-39399)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21271)",
+    "cves": [
+      {
+        "id": "CVE-2022-21271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21271",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1548": {
+    "id": "openEuler-SA-2023-1548",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1548",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\n\nSecurity Fix(es):\n\nIncorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2022-33196)\n\nImproper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-38090)\n\nInformation exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982)",
+    "cves": [
+      {
+        "id": "CVE-2022-40982",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1149": {
+    "id": "openEuler-SA-2021-1149",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1149",
+    "title": "An update for flatpak is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file.(CVE-2019-8308)\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the \"file forwarding\" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit \"`Disallow @@ and @@U usage in desktop files`\". The follow-up commits \"`dir: Reserve the whole @@ prefix`\" and \"`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`\" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.(CVE-2021-21381)",
+    "cves": [
+      {
+        "id": "CVE-2021-21381",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21381",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1219": {
+    "id": "openEuler-SA-2021-1219",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1219",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nThere are several memory leaks in the MIFF coder in /coders/miff.c due to improper image depth values, which can be triggered by a specially crafted input file. These leaks could potentially lead to an impact to application availability or cause a denial of service. It was originally reported that the issues were in `AcquireMagickMemory()` because that is where LeakSanitizer detected the leaks, but the patch resolves issues in the MIFF coder, which incorrectly handles data being passed to `AcquireMagickMemory()`. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27753)\r\n\r\nTIFFGetProfiles() in /coders/tiff.c calls strstr() which causes a large out-of-bounds read when it searches for `\"dc:format=\\\"image/dng\\\"` within `profile` due to improper string handling, when a crafted input file is provided to ImageMagick. The patch uses a StringInfo type instead of a raw C string to remedy this. This could cause an impact to availability of the application. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25667)\r\n\r\nIn ParseMetaGeometry() of MagickCore/geometry.c, image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior. This flaw can be triggered by a crafted input file processed by ImageMagick and could impact application availability. The patch uses multiplication in addition to the function `PerceptibleReciprocal()` in order to prevent such divide-by-zero conditions. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27756)",
+    "cves": [
+      {
+        "id": "CVE-2020-27756",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27756",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1378": {
+    "id": "openEuler-SA-2021-1378",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1378",
+    "title": "An update for poppler is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\ Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\ the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service.(CVE-2020-27778)\r\n\r\nIn Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.(CVE-2019-12293)",
+    "cves": [
+      {
+        "id": "CVE-2019-12293",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12293",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1065": {
+    "id": "openEuler-SA-2023-1065",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1065",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR,WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.(CVE-2022-44267)\r\n\r\nImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).(CVE-2022-44268)",
+    "cves": [
+      {
+        "id": "CVE-2022-44268",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44268",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1387": {
+    "id": "openEuler-SA-2024-1387",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1387",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)",
+    "cves": [
+      {
+        "id": "CVE-2023-39325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1166": {
+    "id": "openEuler-SA-2023-1166",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1166",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system.\r\n\r\nSecurity Fix(es):\r\n\r\nsystemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the \"systemctl status\" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.(CVE-2023-26604)",
+    "cves": [
+      {
+        "id": "CVE-2023-26604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26604",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1016": {
+    "id": "openEuler-SA-2023-1016",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1016",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nSince the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).(CVE-2022-45141)",
+    "cves": [
+      {
+        "id": "CVE-2022-45141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1071": {
+    "id": "openEuler-SA-2024-1071",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1071",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nSudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.(CVE-2023-42465)",
+    "cves": [
+      {
+        "id": "CVE-2023-42465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1358": {
+    "id": "openEuler-SA-2021-1358",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1358",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-38575)",
+    "cves": [
+      {
+        "id": "CVE-2021-38575",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38575",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1522": {
+    "id": "openEuler-SA-2022-1522",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1522",
+    "title": "An update for numpy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A fast multidimensional array facility for Python.\r\n\r\nSecurity Fix(es):\r\n\r\nNull Pointer Dereference vulnerability exists in numpy.sort in NumPy &lt and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays.(CVE-2021-41495)\r\n\r\nAn incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor states that this reported code behavior is \"completely harmless.\"(CVE-2021-34141)",
+    "cves": [
+      {
+        "id": "CVE-2021-34141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1705": {
+    "id": "openEuler-SA-2022-1705",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1705",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThere are use-after-free vulnerabilities in net/ax25/af_ax25.c of linux that allow attacker to crash linux kernel by simulating ax25 device from user space.(CVE-2022-1204)\r\n\r\nThe Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.(CVE-2022-30594)",
+    "cves": [
+      {
+        "id": "CVE-2022-30594",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30594",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1560": {
+    "id": "openEuler-SA-2022-1560",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1560",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nA trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3781)",
+    "cves": [
+      {
+        "id": "CVE-2021-3781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3781",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1502": {
+    "id": "openEuler-SA-2022-1502",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1502",
+    "title": "An update for polkit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Define and Handle authorizations tool.\r\n\r\nSecurity Fix(es):\r\n\r\nA local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.(CVE-2021-4034)",
+    "cves": [
+      {
+        "id": "CVE-2021-4034",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4034",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1123": {
+    "id": "openEuler-SA-2024-1123",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1123",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004)",
+    "cves": [
+      {
+        "id": "CVE-2023-6004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6004",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1386": {
+    "id": "openEuler-SA-2024-1386",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1386",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)",
+    "cves": [
+      {
+        "id": "CVE-2023-39325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1350": {
+    "id": "openEuler-SA-2024-1350",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1350",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36765)",
+    "cves": [
+      {
+        "id": "CVE-2022-36765",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36765",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1366": {
+    "id": "openEuler-SA-2021-1366",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1366",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13.(CVE-2021-40490)\r\n\r\nA flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"int_ctl\" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.(CVE-2021-3653)\r\n\r\nAn issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.(CVE-2021-22543)",
+    "cves": [
+      {
+        "id": "CVE-2021-22543",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22543",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1223": {
+    "id": "openEuler-SA-2021-1223",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1223",
+    "title": "An update for rpm is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The RPM Package Manager (RPM) is a powerful package management system capability as below\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.(CVE-2021-20266)\r\n\r\nA flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.(CVE-2021-3421)",
+    "cves": [
+      {
+        "id": "CVE-2021-3421",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3421",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1600": {
+    "id": "openEuler-SA-2023-1600",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1600",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)",
+    "cves": [
+      {
+        "id": "CVE-2023-22045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22045",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1246": {
+    "id": "openEuler-SA-2021-1246",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1246",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow(CVE-2021-26691)\r\n\r\nApache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service(CVE-2020-13950)\r\n\r\nApache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow(CVE-2020-35452)\n\nApache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with MergeSlashes OFF(CVE-2021-30641)",
+    "cves": [
+      {
+        "id": "CVE-2021-30641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30641",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1130": {
+    "id": "openEuler-SA-2021-1130",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1130",
+    "title": "An update for uboot-tools is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This package includes the mkimage program, which allows generation of U-Boot images in various formats, and the fw_printenv and fw_setenv programs to read and modify U-Boot's environment.\r\n\r\nSecurity Fix(es):\r\n\r\nThe boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.(CVE-2021-27097)\r\n\r\nThe boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.(CVE-2021-27138)",
+    "cves": [
+      {
+        "id": "CVE-2021-27138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27138",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1098": {
+    "id": "openEuler-SA-2023-1098",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1098",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.(CVE-2023-23969)",
+    "cves": [
+      {
+        "id": "CVE-2023-23969",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1473": {
+    "id": "openEuler-SA-2024-1473",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1473",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n(CVE-2024-28180)",
+    "cves": [
+      {
+        "id": "CVE-2024-28180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1280": {
+    "id": "openEuler-SA-2024-1280",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1280",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nEDK2's Network Package is susceptible to an out-of-bounds read\n vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality.(CVE-2023-45229)\r\n\r\nEDK2's Network Package is susceptible to an out-of-bounds read\n vulnerability when processing  Neighbor Discovery Redirect message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality.(CVE-2023-45231)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45234)",
+    "cves": [
+      {
+        "id": "CVE-2023-45234",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45234",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1642": {
+    "id": "openEuler-SA-2024-1642",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1642",
+    "title": "An update for containers-common is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.(CVE-2022-1962)",
+    "cves": [
+      {
+        "id": "CVE-2022-1962",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2083": {
+    "id": "openEuler-SA-2022-2083",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2083",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.(CVE-2021-28041)",
+    "cves": [
+      {
+        "id": "CVE-2021-28041",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28041",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1635": {
+    "id": "openEuler-SA-2023-1635",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1635",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32247)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nWhen nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.\r\n\r\nWe recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.\r\n\r\n(CVE-2023-3777)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nOn an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.\r\n\r\nWe recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.\r\n\r\n(CVE-2023-4015)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\r\n\r\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\r\n\r\n(CVE-2023-4206)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\r\n\r\n(CVE-2023-4207)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\r\n\r\n(CVE-2023-4208)\r\n\r\nA use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\r\n\r\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\r\n\r\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\r\n\r\n(CVE-2023-4622)",
+    "cves": [
+      {
+        "id": "CVE-2023-4622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1380": {
+    "id": "openEuler-SA-2023-1380",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1380",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.(CVE-2023-3141)\r\n\r\nAn out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.(CVE-2023-3268)\r\n\r\nAn issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.(CVE-2023-35788)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.(CVE-2023-35824)",
+    "cves": [
+      {
+        "id": "CVE-2023-35824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1904": {
+    "id": "openEuler-SA-2022-1904",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1904",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nProtobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.(CVE-2022-33070)",
+    "cves": [
+      {
+        "id": "CVE-2022-33070",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33070",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1265": {
+    "id": "openEuler-SA-2023-1265",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1265",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.(CVE-2023-1855)\r\n\r\nA use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.(CVE-2023-1990)\r\n\r\nA use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\r\n\r\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\r\n\r\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\r\n\r\n(CVE-2023-1872)\r\n\r\nA race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2006)\r\n\r\nThe Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.(CVE-2023-30772)",
+    "cves": [
+      {
+        "id": "CVE-2023-30772",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30772",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1227": {
+    "id": "openEuler-SA-2024-1227",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1227",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)",
+    "cves": [
+      {
+        "id": "CVE-2023-3446",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1664": {
+    "id": "openEuler-SA-2023-1664",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1664",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)",
+    "cves": [
+      {
+        "id": "CVE-2023-24537",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1349": {
+    "id": "openEuler-SA-2023-1349",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1349",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151)\n\nA vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding.(CVE-2023-34153)",
+    "cves": [
+      {
+        "id": "CVE-2023-34153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34153",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1102": {
+    "id": "openEuler-SA-2021-1102",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1102",
+    "title": "An update for docker is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blocks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using --userns-remap, if the root user in the remapped namespace has access to the host filesystem they can modify files under /var/lib/docker/<remapping> that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.(CVE-2021-21284)\r\n\r\nIn Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.(CVE-2021-21285)",
+    "cves": [
+      {
+        "id": "CVE-2021-21285",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21285",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1036": {
+    "id": "openEuler-SA-2021-1036",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1036",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS",
+    "severity": "Critical",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nPython 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.(CVE-2021-3177)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2021-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1289": {
+    "id": "openEuler-SA-2024-1289",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1289",
+    "title": "An update for iSulad is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C.\r\n\r\nSecurity Fix(es):\r\n\r\n在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。(CVE-2021-33632)",
+    "cves": [
+      {
+        "id": "CVE-2021-33632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1234": {
+    "id": "openEuler-SA-2024-1234",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1234",
+    "title": "An update for xerces-c is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311)",
+    "cves": [
+      {
+        "id": "CVE-2018-1311",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1658": {
+    "id": "openEuler-SA-2023-1658",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1658",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nThe broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.(CVE-2023-28366)",
+    "cves": [
+      {
+        "id": "CVE-2023-28366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28366",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1560": {
+    "id": "openEuler-SA-2023-1560",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1560",
+    "title": "An update for clamav is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.\r\n\r For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197)",
+    "cves": [
+      {
+        "id": "CVE-2023-20197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1112": {
+    "id": "openEuler-SA-2021-1112",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1112",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\n\nA flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.(CVE-2020-35521)\n\nIn LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.(CVE-2020-35522)\r\n\r\nAn integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35523)\r\n\r\nA heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35524)",
+    "cves": [
+      {
+        "id": "CVE-2020-35524",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35524",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1288": {
+    "id": "openEuler-SA-2023-1288",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1288",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)",
+    "cves": [
+      {
+        "id": "CVE-2023-21967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1943": {
+    "id": "openEuler-SA-2023-1943",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1943",
+    "title": "An update for gstreamer1-plugins-bad-free is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "GStreamer is a pipeline-based multi media framework that links together a wide variety of media processing systems to complete complex workflows, based on graphs of filters which operate on media data. This package contains plug-ins that are not tested well enough yet, or the code is not of good enough quality.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the PGS blu-ray subtitle decoder when handling certain files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0003.html(CVE-2023-37329)\r\n\r\nA use-after-free flaw was found in the MXF demuxer in GStreamer when handling certain MXF video files. This issue could allow a malicious third party to trigger a crash in the application and may allow code execution.(CVE-2023-44446)",
+    "cves": [
+      {
+        "id": "CVE-2023-44446",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44446",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1682": {
+    "id": "openEuler-SA-2023-1682",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1682",
+    "title": "An update for grpc is now available for openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "gRPC is a modern open source high performance RPC framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services.\r\n\r\nSecurity Fix(es):\r\n\r\nLack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. (CVE-2023-4785)",
+    "cves": [
+      {
+        "id": "CVE-2023-4785",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1131": {
+    "id": "openEuler-SA-2023-1131",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1131",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.(CVE-2023-0687)",
+    "cves": [
+      {
+        "id": "CVE-2023-0687",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0687",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1043": {
+    "id": "openEuler-SA-2024-1043",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1043",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918)",
+    "cves": [
+      {
+        "id": "CVE-2023-6918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1680": {
+    "id": "openEuler-SA-2022-1680",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1680",
+    "title": "An update for libsndfile is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libsndfile is a C library for reading and writing files containing sampled sound such as MS Windows WAV and the Apple/SGI AIFF format through one standard library interface.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.(CVE-2021-4156)",
+    "cves": [
+      {
+        "id": "CVE-2021-4156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1768": {
+    "id": "openEuler-SA-2022-1768",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1768",
+    "title": "An update for gupnp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "GUPnP is an elegant, object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. It provides the same set of features as libupnp,but shields the developer from most of UPnP's internals.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.(CVE-2020-12695)",
+    "cves": [
+      {
+        "id": "CVE-2020-12695",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12695",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1455": {
+    "id": "openEuler-SA-2023-1455",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1455",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\n\nSecurity Fix(es):\n\naddBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22822)\n\nbuild_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22823)\n\ndefineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22824)",
+    "cves": [
+      {
+        "id": "CVE-2022-22824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1650": {
+    "id": "openEuler-SA-2023-1650",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1650",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)",
+    "cves": [
+      {
+        "id": "CVE-2023-22045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22045",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1679": {
+    "id": "openEuler-SA-2024-1679",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1679",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\r\n\r\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.(CVE-2023-52650)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type.  Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there's no cast to\nany 64-bit type before multiplication.  Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\r\n\r\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.(CVE-2023-52694)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\r\n\r\nWe found a hungtask bug in test_aead_vec_cfg as follows:\r\n\r\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\r\n\r\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\r\n\r\nThe problem comes as following:\n(padata_do_parallel)                 |\n    rcu_read_lock_bh();              |\n    err = -EINVAL;                   |   (padata_replace)\n                                     |     pinst->flags |= PADATA_RESET;\n    err = -EBUSY                     |\n    if (pinst->flags & PADATA_RESET) |\n        rcu_read_unlock_bh()         |\n        return err\r\n\r\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\r\n\r\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.(CVE-2023-52813)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\r\n\r\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\r\n\r\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636]  <TASK>\n[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002]  full_proxy_read+0x5c/0x80\n[4005007.703011]  vfs_read+0x9f/0x1a0\n[4005007.703019]  ksys_read+0x67/0xe0\n[4005007.703023]  __x64_sys_read+0x19/0x20\n[4005007.703028]  do_syscall_64+0x5c/0xc0\n[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052]  ? irqentry_exit+0x19/0x30\n[4005007.703057]  ? exc_page_fault+0x89/0x160\n[4005007.703062]  ? asm_exc_page_fault+0x8/0x30\n[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105]  </TASK>\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---(CVE-2023-52817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnbd: fix uaf in nbd_open\r\n\r\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\r\n\r\nFix this by implementing ->free_disk and free private data in it.(CVE-2023-52837)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: possible buffer overflow\r\n\r\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.(CVE-2023-52867)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Have trace_event_file have ref counters\r\n\r\nThe following can crash the kernel:\r\n\r\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\r\n\r\nThe above commands:\r\n\r\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\r\n\r\nThe above causes a crash!\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\r\n\r\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\r\n\r\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\r\n\r\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.(CVE-2023-52879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwireguard: netlink: access device through ctx instead of peer\r\n\r\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.(CVE-2024-26950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: fix UAF in direct writes\r\n\r\nIn production we have been hitting the following warning consistently\r\n\r\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\r\n\r\nThis is because we're completing the nfs_direct_request twice in a row.\r\n\r\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\r\n\r\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\r\n\r\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\r\n\r\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\r\n\r\nnfs_commit_begin();\nnfs_commit_end();\r\n\r\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\r\n\r\nFix this by using the same pattern for the commit requests.\r\n\r\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.(CVE-2024-26958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\r\n\r\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\r\n\r\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\r\n\r\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\r\n\r\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2024-26961)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\r\n\r\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n  comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n  backtrace:\n   kmemdup+0x32/0x70\n   __fscrypt_encrypt_symlink+0xed/0x1c0\n   ubifs_symlink+0x210/0x300 [ubifs]\n   vfs_symlink+0x216/0x360\n   do_symlinkat+0x11a/0x190\n   do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n    because ubifs_evict_inode() will do same processes for good\n    symlink inode and bad symlink inode, for inode->i_nlink checking\n    is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.(CVE-2024-26972)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\r\n\r\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\r\n\r\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\r\n\r\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\r\n\r\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\r\n\r\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\r\n\r\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\r\n\r\n        __kvm_vcpu_wake_up(vcpu);\r\n\r\n        mmput(mm);\r\n\r\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\r\n\r\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\r\n\r\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---(CVE-2024-26976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\r\n\r\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path.  If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called).  As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\r\n\r\nFix the leak by adding an explicit kobject_put() call when kn is NULL.(CVE-2024-26993)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: mxs-auart: add spinlock around changing cts state\r\n\r\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\r\n\r\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)(CVE-2024-27000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: nv04: Fix out of bounds access\r\n\r\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\r\n\r\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\r\n\r\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10(CVE-2024-27045)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\r\n\r\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\r\n\r\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).(CVE-2024-27059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ttpci: fix two memleaks in budget_av_attach\r\n\r\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.(CVE-2024-27073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: avoid stack overflow warnings with clang\r\n\r\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\r\n\r\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\r\n\r\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.(CVE-2024-27075)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: inode: Only d_invalidate() is needed\r\n\r\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\r\n\r\n  WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\r\n\r\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\r\n\r\n---(CVE-2024-27389)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\r\n\r\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.(CVE-2024-35845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\r\n\r\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\r\n\r\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.(CVE-2024-35930)",
+    "cves": [
+      {
+        "id": "CVE-2024-35930",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1682": {
+    "id": "openEuler-SA-2022-1682",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1682",
+    "title": "An update for mysql5 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files.\n\nSecurity Fix(es):\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21451)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21417)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).(CVE-2021-2226)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21444)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21460)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21427)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21454)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21245)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2202)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2171)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2022)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2179)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2174)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2194)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-2032)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.30 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2160)",
+    "cves": [
+      {
+        "id": "CVE-2021-2160",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2160",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1930": {
+    "id": "openEuler-SA-2023-1930",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1930",
+    "title": "An update for nodejs-tough-cookie is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "RFC6265 Cookies and Cookie Jar for Node.js.\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.(CVE-2023-26136)",
+    "cves": [
+      {
+        "id": "CVE-2023-26136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1584": {
+    "id": "openEuler-SA-2022-1584",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1584",
+    "title": "An update for nodejs-fstream is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Provides advanced file system stream objects for Node.js.  These objects are like FS streams, but with stat on them, and support directories and symbolic links, as well as normal files.  Also, you can use them to set the stats on a file, even if you don't change its contents, or to create a symlink, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nfstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.(CVE-2019-13173)",
+    "cves": [
+      {
+        "id": "CVE-2019-13173",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13173",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1407": {
+    "id": "openEuler-SA-2024-1407",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1407",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1698": {
+    "id": "openEuler-SA-2024-1698",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1698",
+    "title": "An update for openssl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in OpenSSL. Calling the OpenSSL API SSL_free_buffers function may cause memory to be accessed that was previously freed in some situations.(CVE-2024-4741)",
+    "cves": [
+      {
+        "id": "CVE-2024-4741",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4741",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2021": {
+    "id": "openEuler-SA-2022-2021",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2021",
+    "title": "An update for libksba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libksba is a library to make the tasks of working with X.509 certificates,CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.\r\n\r\nSecurity Fix(es):\r\n\r\nA bug found in libksba, the library used by GnuPG for parsing the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba before 1.6.2 and may be used for remote code execution. \r\n\r\nhttps://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html\nhttps://dev.gnupg.org/T6230\nhttps://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b\nhttps://lwn.net/Articles/911467/(CVE-2022-3515)",
+    "cves": [
+      {
+        "id": "CVE-2022-3515",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3515",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1521": {
+    "id": "openEuler-SA-2023-1521",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1521",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. QEMU has two operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including one or several processors and various peripherals. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\n\nSecurity Fix(es):\n\nA flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.(CVE-2023-3180)",
+    "cves": [
+      {
+        "id": "CVE-2023-3180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1019": {
+    "id": "openEuler-SA-2021-1019",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1019",
+    "title": "An update for wpa_supplicant is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop/laptop computers and embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nThe implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.(CVE-2019-13377)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-13377",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13377",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1164": {
+    "id": "openEuler-SA-2021-1164",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1164",
+    "title": "An update for glib2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)(CVE-2021-28153)",
+    "cves": [
+      {
+        "id": "CVE-2021-28153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28153",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1179": {
+    "id": "openEuler-SA-2023-1179",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1179",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.(CVE-2023-1264)",
+    "cves": [
+      {
+        "id": "CVE-2023-1264",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1474": {
+    "id": "openEuler-SA-2021-1474",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1474",
+    "title": "An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.(CVE-2021-45105)\nIt was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.(CVE-2021-45046)\nThe details of a high-risk vulnerability in Apache Log4j2 have been disclosed. Attackers can use the vulnerability to execute code remotely. Some reports carry suspected POC, Apache Log4j2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces a large number of rich features. The log framework is widely used in business system development to record log information. In most cases, developers may write error messages caused by user input into the log. The trigger condition of this vulnerability is that as long as the data input by external users will be recorded in the log, it can cause remote code execution.(CVE-2021-44228)",
+    "cves": [
+      {
+        "id": "CVE-2021-44228",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1128": {
+    "id": "openEuler-SA-2024-1128",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1128",
+    "title": "An update for python-jinja2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important.\r\n\r\nSecurity Fix(es):\r\n\r\nJinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.\n(CVE-2024-22195)",
+    "cves": [
+      {
+        "id": "CVE-2024-22195",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1439": {
+    "id": "openEuler-SA-2024-1439",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1439",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.(CVE-2024-28834)",
+    "cves": [
+      {
+        "id": "CVE-2024-28834",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28834",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2110": {
+    "id": "openEuler-SA-2022-2110",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2110",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability, which was classified as problematic, was found in X.org Server. This affects an unknown part of the file hw/xquartz/X11Controller.m of the component xquartz. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier VDB-211053 was assigned to this vulnerability.(CVE-2022-3553)\r\n\r\nA vulnerability, which was classified as problematic, has been found in X.org Server. Affected by this issue is the function ProcXkbGetKbdByName of the file xkb/xkb.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211052.(CVE-2022-3551)",
+    "cves": [
+      {
+        "id": "CVE-2022-3551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1520": {
+    "id": "openEuler-SA-2022-1520",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1520",
+    "title": "An update for flatpak is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Application deployment framework for desktop apps.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the \"xa.metadata\" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the \"metadata\" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.(CVE-2021-43860)",
+    "cves": [
+      {
+        "id": "CVE-2021-43860",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43860",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1229": {
+    "id": "openEuler-SA-2024-1229",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1229",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680)",
+    "cves": [
+      {
+        "id": "CVE-2024-24680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1755": {
+    "id": "openEuler-SA-2023-1755",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1755",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module \"acl_xattr\" is configured with \"acl_xattr:ignore system acls = yes\". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.(CVE-2023-4091)\r\n\r\nA vulnerability was found in Samba's \"rpcecho\" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the \"rpcecho\" service operates with only one worker in the main RPC task, allowing calls to the \"rpcecho\" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a \"sleep()\" call in the \"dcesrv_echo_TestSleep()\" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the \"rpcecho\" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as \"rpcecho\" runs in the main RPC task.(CVE-2023-42669)",
+    "cves": [
+      {
+        "id": "CVE-2023-42669",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42669",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1272": {
+    "id": "openEuler-SA-2023-1272",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1272",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.(CVE-2022-31629)\r\n\r\nIn PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress \"quines\" gzip files, resulting in an infinite loop.(CVE-2022-31628)",
+    "cves": [
+      {
+        "id": "CVE-2022-31628",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31628",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1608": {
+    "id": "openEuler-SA-2023-1608",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1608",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.(CVE-2023-28879)\r\n\r\nA buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559)",
+    "cves": [
+      {
+        "id": "CVE-2023-38559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38559",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1152": {
+    "id": "openEuler-SA-2023-1152",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1152",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring(CVE-2023-23586)\r\n\r\nIn the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.(CVE-2023-26607)",
+    "cves": [
+      {
+        "id": "CVE-2023-26607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2138": {
+    "id": "openEuler-SA-2022-2138",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2138",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing.It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nFloating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.(CVE-2022-4293)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0882.(CVE-2022-4292)",
+    "cves": [
+      {
+        "id": "CVE-2022-4292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4292",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1017": {
+    "id": "openEuler-SA-2024-1017",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1017",
+    "title": "An update for tidy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "When editing HTML it's easy to make mistakes. Wouldn't it be nice if there was a simple way to fix these mistakes automatically and tidy up sloppy editing into nicely laid out markup? Well now there is! Dave Raggett's HTML TIDY is a free utility for doing just that. It also works great on the atrociously hard to read markup generated by specialized HTML editors and conversion tools, and can help you identify where you need to pay further attention on making your pages more accessible to people with disabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c.(CVE-2021-33391)",
+    "cves": [
+      {
+        "id": "CVE-2021-33391",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33391",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1063": {
+    "id": "openEuler-SA-2023-1063",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1063",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration. One third-party report states \"remote code execution is theoretically possible.\"(CVE-2023-25136)",
+    "cves": [
+      {
+        "id": "CVE-2023-25136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25136",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1207": {
+    "id": "openEuler-SA-2021-1207",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1207",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity.(CVE-2021-20254)\r\n\r\nA flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability.(CVE-2021-20277)\r\n\r\nA flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability.(CVE-2020-27840)",
+    "cves": [
+      {
+        "id": "CVE-2020-27840",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27840",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1208": {
+    "id": "openEuler-SA-2021-1208",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1208",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.\r\n\r\nSecurity Fix(es):\r\n\r\nThe processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in execution of a local command on the server.(CVE-2021-29505)",
+    "cves": [
+      {
+        "id": "CVE-2021-29505",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29505",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1343": {
+    "id": "openEuler-SA-2024-1343",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1343",
+    "title": "An update for libdwarf is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002)",
+    "cves": [
+      {
+        "id": "CVE-2024-2002",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1624": {
+    "id": "openEuler-SA-2023-1624",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1624",
+    "title": "An update for gdb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c.(CVE-2023-39128)",
+    "cves": [
+      {
+        "id": "CVE-2023-39128",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39128",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1430": {
+    "id": "openEuler-SA-2023-1430",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1430",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \n\nSecurity Fix(es):\n\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)",
+    "cves": [
+      {
+        "id": "CVE-2022-4304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1563": {
+    "id": "openEuler-SA-2024-1563",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1563",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nIn certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.(CVE-2020-26950)",
+    "cves": [
+      {
+        "id": "CVE-2020-26950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26950",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1833": {
+    "id": "openEuler-SA-2024-1833",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1833",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)",
+    "cves": [
+      {
+        "id": "CVE-2021-28429",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1126": {
+    "id": "openEuler-SA-2023-1126",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1126",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.(CVE-2023-0361)",
+    "cves": [
+      {
+        "id": "CVE-2023-0361",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0361",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1646": {
+    "id": "openEuler-SA-2024-1646",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1646",
+    "title": "An update for python-sqlparse is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "``sqlparse`` is a non-validating SQL parser module. It provides support for parsing, splitting and formatting SQL statements.\r\n\r\nSecurity Fix(es):\r\n\r\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\r\n\r\n(CVE-2024-4340)",
+    "cves": [
+      {
+        "id": "CVE-2024-4340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1210": {
+    "id": "openEuler-SA-2023-1210",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1210",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIntel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.(CVE-2022-29901)\r\n\r\nA flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action \"mirred\") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.(CVE-2022-4269)\r\n\r\nA null pointer dereference issue was found in the unix protocol in net/unix/diag.c in Linux before 6.0. In unix_diag_get_exact, the newly allocated skb does not have sk, leading to null pointer. A local user could use this flaw to crash the system or potentially cause a denial of service.\r\n\r\nReference:\nhttps://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/\nhttps://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/\nhttps://lore.kernel.org/netdev/20221127012412.37969-3-kuniyu@amazon.com/T/(CVE-2023-28327)\r\n\r\n\nKernel: A denial of service issue in  az6027 driver in\ndrivers/media/usb/dev-usb/az6027.c(CVE-2023-28328)\r\n\r\nA slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.(CVE-2023-1380)\r\n\r\nA flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.(CVE-2023-1513)",
+    "cves": [
+      {
+        "id": "CVE-2023-1513",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1970": {
+    "id": "openEuler-SA-2022-1970",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1970",
+    "title": "An update for mod_security_crs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The base rules are provided for mod_security by this package.\r\n\r\nSecurity Fix(es):\r\n\r\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.(CVE-2022-39958)\r\n\r\nThe OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional \"charset\" parameter in order to receive the response in an encoded form. Depending on the \"charset\", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.(CVE-2022-39957)",
+    "cves": [
+      {
+        "id": "CVE-2022-39957",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39957",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1717": {
+    "id": "openEuler-SA-2023-1717",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1717",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.(CVE-2023-0809)",
+    "cves": [
+      {
+        "id": "CVE-2023-0809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1101": {
+    "id": "openEuler-SA-2023-1101",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1101",
+    "title": "An update for rubygem-globalid is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "URIs for your models makes it easy to pass references around.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22799)",
+    "cves": [
+      {
+        "id": "CVE-2023-22799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1798": {
+    "id": "openEuler-SA-2023-1798",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1798",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.(CVE-2023-37453)\r\n\r\nAn issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.(CVE-2023-46813)\r\n\r\nAn issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.(CVE-2023-46862)\r\n\r\nA use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges.(CVE-2023-5178)",
+    "cves": [
+      {
+        "id": "CVE-2023-5178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1701": {
+    "id": "openEuler-SA-2022-1701",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1701",
+    "title": "An update for speex is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Speex is an Open Source/Free Software patent-free audio compression format designed for speech. The Speex Project aims to lower the barrier of entry for voice applications by providing a free alternative to expensive proprietary speech codecs. Moreover, Speex is well-adapted to Internet applications and provides useful features that are not present in most other codecs.\r\n\r\nSecurity Fix(es):\r\n\r\nA Divide by Zero vulnerability in the function static int read_samples of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file.(CVE-2020-23903)",
+    "cves": [
+      {
+        "id": "CVE-2020-23903",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23903",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1759": {
+    "id": "openEuler-SA-2023-1759",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1759",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39189)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39193)",
+    "cves": [
+      {
+        "id": "CVE-2023-39193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1222": {
+    "id": "openEuler-SA-2024-1222",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1222",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)",
+    "cves": [
+      {
+        "id": "CVE-2023-3446",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1216": {
+    "id": "openEuler-SA-2021-1216",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1216",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\ncurl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.(CVE-2021-22897)\r\n\r\ncurl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.(CVE-2021-22898)",
+    "cves": [
+      {
+        "id": "CVE-2021-22898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1806": {
+    "id": "openEuler-SA-2024-1806",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1806",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nadts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.(CVE-2021-38171)\r\n\r\nAn issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.(CVE-2022-3109)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the set_encoder_id function in /fftools/ffmpeg_enc.c component.(CVE-2023-50010)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.(CVE-2023-51793)",
+    "cves": [
+      {
+        "id": "CVE-2023-51793",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51793",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1160": {
+    "id": "openEuler-SA-2021-1160",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1160",
+    "title": "An update for pdfbox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Apache PDFBox is an open source Java PDF library for working with PDF documents. This project allows creation of new PDF documents, manipulation of existing documents and the ability to extract content from documents. Apache PDFBox also includes several command line utilities. Apache PDFBox is published under the Apache License v2.0.\r\n\r\nSecurity Fix(es):\r\n\r\nA carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.(CVE-2021-27807)\r\n\r\nA carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.(CVE-2021-27906)",
+    "cves": [
+      {
+        "id": "CVE-2021-27906",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27906",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1573": {
+    "id": "openEuler-SA-2024-1573",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1573",
+    "title": "An update for sssd is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.(CVE-2023-3758)",
+    "cves": [
+      {
+        "id": "CVE-2023-3758",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3758",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1115": {
+    "id": "openEuler-SA-2024-1115",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1115",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.(CVE-2023-40547)\r\n\r\nA flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)",
+    "cves": [
+      {
+        "id": "CVE-2023-40551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1057": {
+    "id": "openEuler-SA-2023-1057",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1057",
+    "title": "An update for batik is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.(CVE-2022-41704)\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.(CVE-2022-42890)",
+    "cves": [
+      {
+        "id": "CVE-2022-42890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1192": {
+    "id": "openEuler-SA-2023-1192",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1192",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nLarge handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).(CVE-2022-41724)\r\n\r\nA denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing \"up to maxMemory bytes +10MB (reserved for non-file parts) in memory\". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, \"If stored on disk, the File's underlying concrete type will be an *os.File.\". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.(CVE-2022-41725)",
+    "cves": [
+      {
+        "id": "CVE-2022-41725",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1568": {
+    "id": "openEuler-SA-2022-1568",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1568",
+    "title": "An update for ganglia is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Ganglia is a scalable, real-time monitoring and execution environment with all execution requests and statistics expressed in an open well-defined XML format.\r\n\r\nSecurity Fix(es):\r\n\r\nganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter.(CVE-2019-20378)\r\n\r\nganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter.(CVE-2019-20379)",
+    "cves": [
+      {
+        "id": "CVE-2019-20379",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20379",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1524": {
+    "id": "openEuler-SA-2022-1524",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1524",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "A suite for Linux to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nThis vulnerability allows remote attackers to  execute arbitrary code as root on affected Samba  installations that use the VFS module vfs_fruit.(CVE-2021-44142)",
+    "cves": [
+      {
+        "id": "CVE-2021-44142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44142",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1839": {
+    "id": "openEuler-SA-2024-1839",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1839",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: SOF: Fix DSP oops stack dump output contents\r\n\r\nFix @buf arg given to hex_dump_to_buffer() and stack address used\nin dump error output.(CVE-2021-47381)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9170/1: fix panic when kasan and kprobe are enabled\r\n\r\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\r\n\r\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\r\n\r\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n<cap_capable>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108    ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144]  ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108]  ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 <emulate_ldr>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60     ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc <emulate_ldr+0x38>\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 <emulate_ldr+0xac>\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64     ; 0x40\n......\r\n\r\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c\nr10: 00000000  r9 : c30897f4  r8 : ecd63cd4\nr7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98\nr3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008\nFlags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user\nControl: 32c5387d  Table: 2d546400  DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix use-after-free after failure to create a snapshot\r\n\r\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction's list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto 'fail' label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\r\n\r\n1) We allocated the pending snapshot and added it to the transaction's\n   list of pending snapshots;\r\n\r\n2) We call btrfs_commit_transaction(), and it fails either at the first\n   call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n   In both cases, we don't abort the transaction and we release our\n   transaction handle. We jump to the 'fail' label and free the pending\n   snapshot structure. We return with the pending snapshot still in the\n   transaction's list;\r\n\r\n3) Another task commits the transaction. This time there's no error at\n   all, and then during the transaction commit it accesses a pointer\n   to the pending snapshot structure that the snapshot creation task\n   has already freed, resulting in a user-after-free.\r\n\r\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\r\n\r\n  fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list\r\n\r\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction's list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore.(CVE-2022-48733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Avoid field-overflowing memcpy()\r\n\r\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\r\n\r\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\r\n\r\nWe were doing:\r\n\r\n\t#define ETH_HLEN  14\n\t#define VLAN_HLEN  4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n        struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;\n        struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\r\n\r\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\r\n\r\nstruct mlx5e_tx_wqe {\n        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */\n        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */\n        struct mlx5_wqe_data_seg   data[];               /*    32     0 */\r\n\r\n        /* size: 32, cachelines: 1, members: 3 */\n        /* last cacheline: 32 bytes */\n};\r\n\r\nstruct mlx5_wqe_eth_seg {\n        u8                         swp_outer_l4_offset;  /*     0     1 */\n        u8                         swp_outer_l3_offset;  /*     1     1 */\n        u8                         swp_inner_l4_offset;  /*     2     1 */\n        u8                         swp_inner_l3_offset;  /*     3     1 */\n        u8                         cs_flags;             /*     4     1 */\n        u8                         swp_flags;            /*     5     1 */\n        __be16                     mss;                  /*     6     2 */\n        __be32                     flow_table_metadata;  /*     8     4 */\n        union {\n                struct {\n                        __be16     sz;                   /*    12     2 */\n                        u8         start[2];             /*    14     2 */\n                } inline_hdr;                            /*    12     4 */\n                struct {\n                        __be16     type;                 /*    12     2 */\n                        __be16     vlan_tci;             /*    14     2 */\n                } insert;                                /*    12     4 */\n                __be32             trailer;              /*    12     4 */\n        };                                               /*    12     4 */\r\n\r\n        /* size: 16, cachelines: 1, members: 9 */\n        /* last cacheline: 16 bytes */\n};\r\n\r\nstruct mlx5_wqe_data_seg {\n        __be32                     byte_count;           /*     0     4 */\n        __be32                     lkey;                 /*     4     4 */\n        __be64                     addr;                 /*     8     8 */\r\n\r\n        /* size: 16, cachelines: 1, members: 3 */\n        /* last cacheline: 16 bytes */\n};\r\n\r\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\r\n\r\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).(CVE-2022-48744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\r\n\r\nThe below warning is splatting during guest reboot.\r\n\r\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n  CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G          I       5.17.0-rc1+ #5\n  RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_vcpu_ioctl+0x279/0x710 [kvm]\n   __x64_sys_ioctl+0x83/0xb0\n   do_syscall_64+0x3b/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n  RIP: 0033:0x7fd39797350b\r\n\r\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC.(CVE-2022-48765)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: lgdt3306a: Add a check against null-pointer-def\r\n\r\nThe driver should check whether the client provides the platform_data.\r\n\r\nThe following log reveals it:\r\n\r\n[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[   29.612820] Call Trace:\n[   29.613030]  <TASK>\n[   29.613201]  dump_stack_lvl+0x56/0x6f\n[   29.613496]  ? kmemdup+0x30/0x40\n[   29.613754]  print_report.cold+0x494/0x6b7\n[   29.614082]  ? kmemdup+0x30/0x40\n[   29.614340]  kasan_report+0x8a/0x190\n[   29.614628]  ? kmemdup+0x30/0x40\n[   29.614888]  kasan_check_range+0x14d/0x1d0\n[   29.615213]  memcpy+0x20/0x60\n[   29.615454]  kmemdup+0x30/0x40\n[   29.615700]  lgdt3306a_probe+0x52/0x310\n[   29.616339]  i2c_device_probe+0x951/0xa90(CVE-2022-48772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: btusb: Add date->evt_skb is NULL check\r\n\r\nfix crash because of null pointers\r\n\r\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS:  00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708]  btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732]  hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748]  hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753]  rfkill_set_block+0x92/0x160\n[ 6104.969755]  rfkill_fop_write+0x136/0x1e0\n[ 6104.969759]  __vfs_write+0x18/0x40\n[ 6104.969761]  vfs_write+0xdf/0x1c0\n[ 6104.969763]  ksys_write+0xb1/0xe0\n[ 6104.969765]  __x64_sys_write+0x1a/0x20\n[ 6104.969769]  do_syscall_64+0x51/0x180\n[ 6104.969771]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0(CVE-2023-52833)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\r\n\r\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\r\n\r\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\r\n\r\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\r\n\r\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\r\n\r\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\r\n\r\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\r\n\r\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\r\n\r\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\r\n\r\nIn the following sequence:\n  1) of_platform_depopulate()\n  2) of_overlay_remove()\r\n\r\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n  ERROR: memory leak, expected refcount 1 instead of 2 ...\r\n\r\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\r\n\r\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.(CVE-2024-35879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_skbmod: prevent kernel-infoleak\r\n\r\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\r\n\r\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\r\n\r\nWe need to clear the structure before filling fields.\r\n\r\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  copy_to_iter include/linux/uio.h:196 [inline]\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n  __do_sys_recvfrom net/socket.c:2260 [inline]\n  __se_sys_recvfrom net/socket.c:2256 [inline]\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was stored to memory at:\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n  __sys_sendmsg net/socket.c:2667 [inline]\n  __do_sys_sendmsg net/socket.c:2676 [inline]\n  __se_sys_sendmsg net/socket.c:2674 [inline]\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was stored to memory at:\n  __nla_put lib/nlattr.c:1041 [inline]\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---(CVE-2024-35893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\r\n\r\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\r\n\r\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\r\n\r\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\r\n\r\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n   reference count drops to zero and kfree_rcu is scheduled.\r\n\r\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n   (in6_ifa_hold).\r\n\r\n4. The rcu is unlocked and the entry is freed.\r\n\r\n5. The freed entry is returned.\r\n\r\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\r\n\r\n[   41.506330] refcount_t: addition on 0; use-after-free.\n[   41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[   41.507413] Modules linked in: veth bridge stp llc\n[   41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[   41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[   41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[   41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[   41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[   41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[   41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[   41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[   41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[   41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[   41.514086] FS:  00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[   41.514726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[   41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[   41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[   41.516799] Call Trace:\n[   41.517037]  <TASK>\n[   41.517249]  ? __warn+0x7b/0x120\n[   41.517535]  ? refcount_warn_saturate+0xa5/0x130\n[   41.517923]  ? report_bug+0x164/0x190\n[   41.518240]  ? handle_bug+0x3d/0x70\n[   41.518541]  ? exc_invalid_op+0x17/0x70\n[   41.520972]  ? asm_exc_invalid_op+0x1a/0x20\n[   41.521325]  ? refcount_warn_saturate+0xa5/0x130\n[   41.521708]  ipv6_get_ifaddr+0xda/0xe0\n[   41.522035]  inet6_rtm_getaddr+0x342/0x3f0\n[   41.522376]  ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[   41.522758]  rtnetlink_rcv_msg+0x334/0x3d0\n[   41.523102]  ? netlink_unicast+0x30f/0x390\n[   41.523445]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[   41.523832]  netlink_rcv_skb+0x53/0x100\n[   41.524157]  netlink_unicast+0x23b/0x390\n[   41.524484]  netlink_sendmsg+0x1f2/0x440\n[   41.524826]  __sys_sendto+0x1d8/0x1f0\n[   41.525145]  __x64_sys_sendto+0x1f/0x30\n[   41.525467]  do_syscall_64+0xa5/0x1b0\n[   41.525794]  entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[   41.526213] RIP: 0033:0x7fbc4cfcea9a\n[   41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[   41.527942] RSP: 002b:00007f\n---truncated---(CVE-2024-35969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nriscv: Fix TASK_SIZE on 64-bit NOMMU\r\n\r\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.(CVE-2024-35988)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/arm/malidp: fix a possible null pointer dereference\r\n\r\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix missing memory barrier in tls_init\r\n\r\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\r\n\r\nCPU0                               CPU1\n-----                              -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\r\n\r\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots)     -(2)\r\n\r\n                                   // In sock_common_setsockopt()\n                                   READ_ONCE(sk->sk_prot)->setsockopt()\r\n\r\n                                   // In tls_{setsockopt,getsockopt}()\n                                   ctx->sk_proto->setsockopt()    -(3)\r\n\r\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\r\n\r\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.(CVE-2024-36489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\r\n\r\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\r\n\r\n[    0.414355] Trying to free already-free IRQ 27\n[    0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[    0.414510] Modules linked in:\n[    0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[    0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[    0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[    0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[    0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[    0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[    0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[    0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[    0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[    0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[    0.414540] FS:  0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[    0.414540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[    0.414540] Call Trace:\n[    0.414540]  <TASK>\n[    0.414540]  ? __warn+0x80/0x120\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  ? report_bug+0x164/0x190\n[    0.414540]  ? handle_bug+0x3b/0x70\n[    0.414540]  ? exc_invalid_op+0x17/0x70\n[    0.414540]  ? asm_exc_invalid_op+0x1a/0x20\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  vp_del_vqs+0xc1/0x220\n[    0.414540]  vp_find_vqs_msix+0x305/0x470\n[    0.414540]  vp_find_vqs+0x3e/0x1a0\n[    0.414540]  vp_modern_find_vqs+0x1b/0x70\n[    0.414540]  init_vqs+0x387/0x600\n[    0.414540]  virtnet_probe+0x50a/0xc80\n[    0.414540]  virtio_dev_probe+0x1e0/0x2b0\n[    0.414540]  really_probe+0xc0/0x2c0\n[    0.414540]  ? __pfx___driver_attach+0x10/0x10\n[    0.414540]  __driver_probe_device+0x73/0x120\n[    0.414540]  driver_probe_device+0x1f/0xe0\n[    0.414540]  __driver_attach+0x88/0x180\n[    0.414540]  bus_for_each_dev+0x85/0xd0\n[    0.414540]  bus_add_driver+0xec/0x1f0\n[    0.414540]  driver_register+0x59/0x100\n[    0.414540]  ? __pfx_virtio_net_driver_init+0x10/0x10\n[    0.414540]  virtio_net_driver_init+0x90/0xb0\n[    0.414540]  do_one_initcall+0x58/0x230\n[    0.414540]  kernel_init_freeable+0x1a3/0x2d0\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  kernel_init+0x1a/0x1c0\n[    0.414540]  ret_from_fork+0x31/0x50\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  ret_from_fork_asm+0x1a/0x30\n[    0.414540]  </TASK>\r\n\r\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\r\n\r\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\r\n\r\n  BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/ctree.c:2620!\n  invalid opcode: 0000 [#1] PREEMPT SMP PTI\n  CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n  RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\r\n\r\nWith the following stack trace:\r\n\r\n  #0  btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n  #1  btrfs_drop_extents (fs/btrfs/file.c:411:4)\n  #2  log_one_extent (fs/btrfs/tree-log.c:4732:9)\n  #3  btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n  #4  btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n  #5  btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n  #6  btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n  #7  btrfs_sync_file (fs/btrfs/file.c:1933:8)\n  #8  vfs_fsync_range (fs/sync.c:188:9)\n  #9  vfs_fsync (fs/sync.c:202:9)\n  #10 do_fsync (fs/sync.c:212:9)\n  #11 __do_sys_fdatasync (fs/sync.c:225:9)\n  #12 __se_sys_fdatasync (fs/sync.c:223:1)\n  #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n  #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n  #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n  #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\r\n\r\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\r\n\r\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\r\n\r\n  >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n  leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n  leaf 33439744 flags 0x100000000000000\n  fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n  chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n          item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n                  generation 7 transid 9 size 8192 nbytes 8473563889606862198\n                  block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n                  sequence 204 flags 0x10(PREALLOC)\n                  atime 1716417703.220000000 (2024-05-22 15:41:43)\n                  ctime 1716417704.983333333 (2024-05-22 15:41:44)\n                  mtime 1716417704.983333333 (2024-05-22 15:41:44)\n                  otime 17592186044416.000000000 (559444-03-08 01:40:16)\n          item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n                  index 195 namelen 3 name: 193\n          item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n                  location key (0 UNKNOWN.0 0) type XATTR\n                  transid 7 data_len 1 name_len 6\n                  name: user.a\n                  data a\n          item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n                  generation 9 type 1 (regular)\n                  extent data disk byte 303144960 nr 12288\n                  extent data offset 0 nr 4096 ram 12288\n                  extent compression 0 (none)\n          item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 4096 nr 8192\n          item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 8192 nr 4096\n  ...\r\n\r\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\r\n\r\nHere is the state of \n---truncated---(CVE-2024-37354)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: Fix uninit-value in nci_rx_work\r\n\r\nsyzbot reported the following uninit-value access issue [1]\r\n\r\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.(CVE-2024-38381)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\r\n\r\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\r\n\r\nsh_css_pipe_load_binaries()\n  |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n  |\n  |-> sh_css_pipe_unload_binaries()\n        |-> unload_video_binaries()\r\n\r\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.(CVE-2024-38547)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential index out of bounds in color transformation function\r\n\r\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\r\n\r\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\r\n\r\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issue of net_device\r\n\r\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\r\n\r\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\r\n\r\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\r\n\r\nUse snprintf() with buffer size instead of sprintf().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38577)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: bcm - Fix pointer arithmetic\r\n\r\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential hang in nilfs_detach_log_writer()\r\n\r\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\r\n\r\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\r\n\r\nnilfs_detach_log_writer\n  nilfs_segctor_destroy\n    nilfs_segctor_kill_thread  --> Shut down log writer thread\n    flush_work\n      nilfs_iput_work_func\n        nilfs_dispose_list\n          iput\n            nilfs_evict_inode\n              nilfs_transaction_commit\n                nilfs_construct_segment (if inode needs sync)\n                  nilfs_segctor_sync  --> Attempt to synchronize with\n                                          log writer thread\n                           *** DEADLOCK ***\r\n\r\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\r\n\r\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix use-after-free of timer for log writer thread\r\n\r\nPatch series \"nilfs2: fix log writer related issues\".\r\n\r\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis.  Details are described in each commit log.\r\n\r\n\nThis patch (of 3):\r\n\r\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\r\n\r\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\r\n\r\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Modify the print level of CQE error\r\n\r\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.(CVE-2024-38590)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix resync softlockup when bitmap size is less than array size\r\n\r\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\r\n\r\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n <TASK>\n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\r\n\r\nAnd the detailed process is as follows:\r\n\r\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n  sectors = raid10_sync_request(mddev, j, &skipped)\n   if (!md_bitmap_start_sync(..., &sync_blocks))\n    // md_bitmap_start_sync set sync_blocks to 0\n    return sync_blocks + sectors_skippe;\n  // sectors = 0;\n  j += sectors;\n  // j never change\r\n\r\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\r\n\r\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\r\n\r\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.(CVE-2024-38598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issues of ax25_dev\r\n\r\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\r\n\r\nMemory leak issue in ax25_addr_ax25dev():\r\n\r\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\r\n\r\nMemory leak issues in ax25_dev_device_down():\r\n\r\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\r\n\r\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.(CVE-2024-38602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()\r\n\r\npci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()\nfails, the irq vector is not freed, which leads to a memory leak.\r\n\r\nReplace the devm_add_action with devm_add_action_or_reset to ensure\nthe irq vector can be destroyed when it fails.(CVE-2024-38603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpufreq: exit() callback is optional\r\n\r\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\r\n\r\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.(CVE-2024-38615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\r\n\r\nThe subtract in this condition is reversed.  The ->length is the length\nof the buffer.  The ->bytesused is how many bytes we have copied thus\nfar.  When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value.  That means the overflow check is never\ntrue.\r\n\r\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\".  Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved.  You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\r\n\r\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn.  Otherwise, write up to buf->length bytes.(CVE-2024-38621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use variable length array instead of fixed size\r\n\r\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)(CVE-2024-38623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Check 'folio' pointer for NULL\r\n\r\nIt can be NULL if bmap is called.(CVE-2024-38625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Update uart_driver_registered on driver removal\r\n\r\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\r\n\r\n  max3100 spi-PRP0001:01: max3100_probe: adding port 0\n  BUG: kernel NULL pointer dereference, address: 0000000000000408\n  ...\n  RIP: 0010:serial_core_register_port+0xa0/0x840\n  ...\n   max3100_probe+0x1b6/0x280 [max3100]\n   spi_probe+0x8d/0xb0\r\n\r\nUpdate the actual state so next time UART driver will be registered\nagain.\r\n\r\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\r\n\r\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\r\n\r\n  WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n  ...\n  Workqueue: max3100-0 max3100_work [max3100]\n  RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n  ...\n   max3100_handlerx+0xc5/0x110 [max3100]\n   max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngreybus: lights: check return of get_channel_from_mode\r\n\r\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\r\n\r\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\r\n\r\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\r\n\r\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/9p: fix uninit-value in p9_client_rpc()\r\n\r\nSyzbot with the help of KMSAN reported the following error:\r\n\r\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\r\n\r\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-39362)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\r\n\r\nsyzbot reports a kernel bug as below:\r\n\r\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\r\n\r\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.(CVE-2024-39467)",
+    "cves": [
+      {
+        "id": "CVE-2024-39467",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1437": {
+    "id": "openEuler-SA-2023-1437",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1437",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n(CVE-2023-3090)\n\nA use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.(CVE-2023-3117)\n\nLinux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace(CVE-2023-31248)\n\nAn issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.(CVE-2023-3220)\n\nA flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.(CVE-2023-3338)\n\nA null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.(CVE-2023-3358)",
+    "cves": [
+      {
+        "id": "CVE-2023-3358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1472": {
+    "id": "openEuler-SA-2023-1472",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1472",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.(CVE-2023-0664)\r\n\r\nA flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.(CVE-2023-2861)",
+    "cves": [
+      {
+        "id": "CVE-2023-2861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1010": {
+    "id": "openEuler-SA-2023-1010",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1010",
+    "title": "An update for net-snmp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6. The suite includes:\n\n\t\t- An extensible agent for responding to SNMP queries including built-in support for a wide range of MIB information modules\n\t\t- Command-line applications to retrieve and manipulate information from SNMP-capable devices\n\t\t- A daemon application for receiving SNMP notifications\n\t\t- A library for developing new SNMP applications, with C and Perl APIs\n\t\t- A graphical MIB browser.\r\n\r\nSecurity Fix(es):\r\n\r\nhandle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.(CVE-2022-44793)\r\n\r\nhandle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.(CVE-2022-44792)",
+    "cves": [
+      {
+        "id": "CVE-2022-44792",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44792",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1671": {
+    "id": "openEuler-SA-2022-1671",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1671",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\n\nSecurity Fix(es):\n\ncontainerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.(CVE-2022-23648)",
+    "cves": [
+      {
+        "id": "CVE-2022-23648",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23648",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1914": {
+    "id": "openEuler-SA-2022-1914",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1914",
+    "title": "An update for colord is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "colord is a system service that makes it easy to manage, install and generate color profiles to accurately color manage input and output devices.\r\n\r\nSecurity Fix(es):\r\n\r\nThere are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. They exist because the 'err_msg' of 'sqlite3_exec' is not releasing after use, while libxml2 emphasizes that the caller needs to release it.(CVE-2021-42523)",
+    "cves": [
+      {
+        "id": "CVE-2021-42523",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42523",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1596": {
+    "id": "openEuler-SA-2024-1596",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1596",
+    "title": "An update for php is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\r\n\r\n(CVE-2024-3096)",
+    "cves": [
+      {
+        "id": "CVE-2024-3096",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1793": {
+    "id": "openEuler-SA-2024-1793",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1793",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ethernet: fix potential use-after-free in ec_bhf_remove\r\n\r\nstatic void ec_bhf_remove(struct pci_dev *dev)\n{\n...\n\tstruct ec_bhf_priv *priv = netdev_priv(net_dev);\r\n\r\n\tunregister_netdev(net_dev);\n\tfree_netdev(net_dev);\r\n\r\n\tpci_iounmap(dev, priv->dma_io);\n\tpci_iounmap(dev, priv->io);\n...\n}\r\n\r\npriv is netdev private data, but it is used\nafter free_netdev(). It can cause use-after-free when accessing priv\npointer. So, fix it by moving free_netdev() after pci_iounmap()\ncalls.(CVE-2021-47235)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2021-47285)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac80211: track only QoS data frames for admission control\r\n\r\nFor admission control, obviously all of that only works for\nQoS data frames, otherwise we cannot even access the QoS\nfield in the header.\r\n\r\nSyzbot reported (see below) an uninitialized value here due\nto a status of a non-QoS nullfunc packet, which isn't even\nlong enough to contain the QoS header.\r\n\r\nFix this to only do anything for QoS data packets.(CVE-2021-47602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Make bnx2fc_recv_frame() mp safe\r\n\r\nRunning tests with a debug kernel shows that bnx2fc_recv_frame() is\nmodifying the per_cpu lport stats counters in a non-mpsafe way.  Just boot\na debug kernel and run the bnx2fc driver with the hardware enabled.\r\n\r\n[ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_\n[ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc]\n[ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G    B\n[ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n[ 1391.699183] Call Trace:\n[ 1391.699188]  dump_stack_lvl+0x57/0x7d\n[ 1391.699198]  check_preemption_disabled+0xc8/0xd0\n[ 1391.699205]  bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc]\n[ 1391.699215]  ? do_raw_spin_trylock+0xb5/0x180\n[ 1391.699221]  ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc]\n[ 1391.699229]  ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc]\n[ 1391.699240]  bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc]\n[ 1391.699250]  ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc]\n[ 1391.699258]  kthread+0x364/0x420\n[ 1391.699263]  ? _raw_spin_unlock_irq+0x24/0x50\n[ 1391.699268]  ? set_kthread_struct+0x100/0x100\n[ 1391.699273]  ret_from_fork+0x22/0x30\r\n\r\nRestore the old get_cpu/put_cpu code with some modifications to reduce the\nsize of the critical section.(CVE-2022-48715)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev\r\n\r\nstruct rpmsg_ctrldev contains a struct cdev. The current code frees\nthe rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the\ncdev is a managed object, therefore its release is not predictable\nand the rpmsg_ctrldev could be freed before the cdev is entirely\nreleased, as in the backtrace below.\r\n\r\n[   93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c\n[   93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0\n[   93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v\n[   93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.4.163-lockdep #26\n[   93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)\n[   93.730055] Workqueue: events kobject_delayed_cleanup\n[   93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)\n[   93.740216] pc : debug_print_object+0x13c/0x1b0\n[   93.744890] lr : debug_print_object+0x13c/0x1b0\n[   93.749555] sp : ffffffacf5bc7940\n[   93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000\n[   93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000\n[   93.763916] x25: ffffffd0734f856c x24: dfffffd000000000\n[   93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0\n[   93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0\n[   93.780338] x19: ffffffd075199100 x18: 00000000000276e0\n[   93.785814] x17: 0000000000000000 x16: dfffffd000000000\n[   93.791291] x15: ffffffffffffffff x14: 6e6968207473696c\n[   93.796768] x13: 0000000000000000 x12: ffffffd075e2b000\n[   93.802244] x11: 0000000000000001 x10: 0000000000000000\n[   93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900\n[   93.813200] x7 : 0000000000000000 x6 : 0000000000000000\n[   93.818676] x5 : 0000000000000080 x4 : 0000000000000000\n[   93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001\n[   93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061\n[   93.835104] Call trace:\n[   93.837644]  debug_print_object+0x13c/0x1b0\n[   93.841963]  __debug_check_no_obj_freed+0x25c/0x3c0\n[   93.846987]  debug_check_no_obj_freed+0x18/0x20\n[   93.851669]  slab_free_freelist_hook+0xbc/0x1e4\n[   93.856346]  kfree+0xfc/0x2f4\n[   93.859416]  rpmsg_ctrldev_release_device+0x78/0xb8\n[   93.864445]  device_release+0x84/0x168\n[   93.868310]  kobject_cleanup+0x12c/0x298\n[   93.872356]  kobject_delayed_cleanup+0x10/0x18\n[   93.876948]  process_one_work+0x578/0x92c\n[   93.881086]  worker_thread+0x804/0xcf8\n[   93.884963]  kthread+0x2a8/0x314\n[   93.888303]  ret_from_fork+0x10/0x18\r\n\r\nThe cdev_device_add/del() API was created to address this issue (see\ncommit '233ed09d7fda (\"chardev: add helper function to register char\ndevs with a struct device\")'), use it instead of cdev add/del().(CVE-2022-48759)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet: fix rtm_phonet_notify() skb allocation\r\n\r\nfill_route() stores three components in the skb:\r\n\r\n- struct rtmsg\n- RTA_DST (u8)\n- RTA_OIF (u32)\r\n\r\nTherefore, rtm_phonet_notify() should use\r\n\r\nNLMSG_ALIGN(sizeof(struct rtmsg)) +\nnla_total_size(1) +\nnla_total_size(4)(CVE-2024-36946)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\r\n\r\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\r\n\r\n[    0.414355] Trying to free already-free IRQ 27\n[    0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[    0.414510] Modules linked in:\n[    0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[    0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[    0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[    0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[    0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[    0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[    0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[    0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[    0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[    0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[    0.414540] FS:  0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[    0.414540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[    0.414540] Call Trace:\n[    0.414540]  <TASK>\n[    0.414540]  ? __warn+0x80/0x120\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  ? report_bug+0x164/0x190\n[    0.414540]  ? handle_bug+0x3b/0x70\n[    0.414540]  ? exc_invalid_op+0x17/0x70\n[    0.414540]  ? asm_exc_invalid_op+0x1a/0x20\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  vp_del_vqs+0xc1/0x220\n[    0.414540]  vp_find_vqs_msix+0x305/0x470\n[    0.414540]  vp_find_vqs+0x3e/0x1a0\n[    0.414540]  vp_modern_find_vqs+0x1b/0x70\n[    0.414540]  init_vqs+0x387/0x600\n[    0.414540]  virtnet_probe+0x50a/0xc80\n[    0.414540]  virtio_dev_probe+0x1e0/0x2b0\n[    0.414540]  really_probe+0xc0/0x2c0\n[    0.414540]  ? __pfx___driver_attach+0x10/0x10\n[    0.414540]  __driver_probe_device+0x73/0x120\n[    0.414540]  driver_probe_device+0x1f/0xe0\n[    0.414540]  __driver_attach+0x88/0x180\n[    0.414540]  bus_for_each_dev+0x85/0xd0\n[    0.414540]  bus_add_driver+0xec/0x1f0\n[    0.414540]  driver_register+0x59/0x100\n[    0.414540]  ? __pfx_virtio_net_driver_init+0x10/0x10\n[    0.414540]  virtio_net_driver_init+0x90/0xb0\n[    0.414540]  do_one_initcall+0x58/0x230\n[    0.414540]  kernel_init_freeable+0x1a3/0x2d0\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  kernel_init+0x1a/0x1c0\n[    0.414540]  ret_from_fork+0x31/0x50\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  ret_from_fork_asm+0x1a/0x30\n[    0.414540]  </TASK>\r\n\r\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\r\n\r\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\r\n\r\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.(CVE-2024-38549)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bfa: Ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul instead\nof memdup_user.(CVE-2024-38560)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\r\n\r\nThe \"buf\" pointer is an array of u16 values.  This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.(CVE-2024-38587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: prevent xattr node from overflowing the eraseblock\r\n\r\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\r\n\r\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\r\n\r\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\r\n\r\nThis breaks the filesystem and can lead to KASAN crashes such as:\r\n\r\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-38599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nring-buffer: Fix a race between readers and resize checks\r\n\r\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\r\n\r\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\r\n\r\n[  190.271762] ------------[ cut here ]------------\n[  190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[  190.271789] Modules linked in: [...]\n[  190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[  190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G            E      6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[  190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[  190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[  190.272023] Code: [...]\n[  190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[  190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[  190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[  190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[  190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[  190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[  190.272053] FS:  00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[  190.272057] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[  190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  190.272077] Call Trace:\n[  190.272098]  <TASK>\n[  190.272189]  ring_buffer_resize+0x2ab/0x460\n[  190.272199]  __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[  190.272206]  tracing_resize_ring_buffer+0x65/0x90\n[  190.272216]  tracing_entries_write+0x74/0xc0\n[  190.272225]  vfs_write+0xf5/0x420\n[  190.272248]  ksys_write+0x67/0xe0\n[  190.272256]  do_syscall_64+0x82/0x170\n[  190.272363]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  190.272373] RIP: 0033:0x7f1bd657d263\n[  190.272381] Code: [...]\n[  190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[  190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[  190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[  190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[  190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[  190.272412]  </TASK>\n[  190.272414] ---[ end trace 0000000000000000 ]---\r\n\r\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\r\n\r\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\r\n\r\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++)  /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\r\n\r\n.. \n---truncated---(CVE-2024-38601)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nm68k: Fix spinlock race in kernel thread creation\r\n\r\nContext switching does take care to retain the correct lock owner across\nthe switch from 'prev' to 'next' tasks.  This does rely on interrupts\nremaining disabled for the entire duration of the switch.\r\n\r\nThis condition is guaranteed for normal process creation and context\nswitching between already running processes, because both 'prev' and\n'next' already have interrupts disabled in their saved copies of the\nstatus register.\r\n\r\nThe situation is different for newly created kernel threads.  The status\nregister is set to PS_S in copy_thread(), which does leave the IPL at 0.\nUpon restoring the 'next' thread's status register in switch_to() aka\nresume(), interrupts then become enabled prematurely.  resume() then\nreturns via ret_from_kernel_thread() and schedule_tail() where run queue\nlock is released (see finish_task_switch() and finish_lock_switch()).\r\n\r\nA timer interrupt calling scheduler_tick() before the lock is released\nin finish_task_switch() will find the lock already taken, with the\ncurrent task as lock owner.  This causes a spinlock recursion warning as\nreported by Guenter Roeck.\r\n\r\nAs far as I can ascertain, this race has been opened in commit\n533e6903bea0 (\"m68k: split ret_from_fork(), simplify kernel_thread()\")\nbut I haven't done a detailed study of kernel history so it may well\npredate that commit.\r\n\r\nInterrupts cannot be disabled in the saved status register copy for\nkernel threads (init will complain about interrupts disabled when\nfinally starting user space).  Disable interrupts temporarily when\nswitching the tasks' register sets in resume().\r\n\r\nNote that a simple oriw 0x700,%sr after restoring sr is not enough here\n- this leaves enough of a race for the 'spinlock recursion' warning to\nstill be observed.\r\n\r\nTested on ARAnyM and qemu (Quadra 800 emulation).(CVE-2024-38613)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\r\n\r\nThe subtract in this condition is reversed.  The ->length is the length\nof the buffer.  The ->bytesused is how many bytes we have copied thus\nfar.  When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value.  That means the overflow check is never\ntrue.\r\n\r\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\".  Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved.  You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\r\n\r\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn.  Otherwise, write up to buf->length bytes.(CVE-2024-38621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\r\n\r\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\r\n\r\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.(CVE-2024-38630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ap: Fix crash in AP internal function modify_bitmap()\r\n\r\nA system crash like this\r\n\r\n  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n  Fault in home space mode while using kernel ASCE.\n  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n  Oops: 0038 ilc:3 [#1] PREEMPT SMP\n  Modules linked in: mlx5_ib ...\n  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n  Hardware name: IBM 3931 A01 704 (LPAR)\n  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a\n  0000014b75e7b600: 18b2                lr      %r11,%r2\n  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616\n  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)\n  0000014b75e7b60c: a7680001            lhi     %r6,1\n  0000014b75e7b610: 187b                lr      %r7,%r11\n  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654\n  0000014b75e7b616: 18e9                lr      %r14,%r9\n  Call Trace:\n  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n  [<0000014b75e7b758>] apmask_store+0x68/0x140\n  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n  [<0000014b75598524>] vfs_write+0x1b4/0x448\n  [<0000014b7559894c>] ksys_write+0x74/0x100\n  [<0000014b7618a440>] __do_syscall+0x268/0x328\n  [<0000014b761a3558>] system_call+0x70/0x98\n  INFO: lockdep is turned off.\n  Last Breaking-Event-Address:\n  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\r\n\r\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\r\n\r\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.(CVE-2024-38661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: Add winch to winch_handlers before registering winch IRQ\r\n\r\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\r\n\r\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\r\n\r\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.(CVE-2024-39292)",
+    "cves": [
+      {
+        "id": "CVE-2022-48759",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48759",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2024-36946",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36946",
+        "severity": "None"
+      },
+      {
+        "id": "CVE-2024-39292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1513": {
+    "id": "openEuler-SA-2024-1513",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1513",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\r\n\r\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\r\n\r\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\r\n\r\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.(CVE-2024-2511)",
+    "cves": [
+      {
+        "id": "CVE-2024-2511",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1070": {
+    "id": "openEuler-SA-2024-1070",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1070",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nGVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file(CVE-2024-0208)\r\n\r\nIEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file(CVE-2024-0209)",
+    "cves": [
+      {
+        "id": "CVE-2024-0209",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0209",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1157": {
+    "id": "openEuler-SA-2021-1157",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1157",
+    "title": "An update for velocity is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Velocity is a Java-based template engine. It permits anyone to use the simple yet powerful template language to reference objects defined in Java code.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.(CVE-2020-13936)",
+    "cves": [
+      {
+        "id": "CVE-2020-13936",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1751": {
+    "id": "openEuler-SA-2023-1751",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1751",
+    "title": "An update for zlib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Zlib is a free, general-purpose, not covered by any patents, lossless data-compression library for use on virtually any computer hardware and operating system. The zlib data format is itself portable across platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.(CVE-2023-45853)",
+    "cves": [
+      {
+        "id": "CVE-2023-45853",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1714": {
+    "id": "openEuler-SA-2023-1714",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1714",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863)",
+    "cves": [
+      {
+        "id": "CVE-2023-4863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2026": {
+    "id": "openEuler-SA-2022-2026",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2026",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ndrivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.(CVE-2022-41849)\r\n\r\nIn rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239842288References: Upstream kernel(CVE-2022-20423)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.(CVE-2022-3524)\r\n\r\nA vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.(CVE-2022-3545)\r\n\r\nA vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.(CVE-2022-3565)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.(CVE-2022-3594)\n\nA vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.(CVE-2022-3564)\n\nA vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.(CVE-2022-3566)\n\nA vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability.(CVE-2022-3542)\n\nA vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability.(CVE-2022-3535)\n\nA vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.(CVE-2022-3521)",
+    "cves": [
+      {
+        "id": "CVE-2022-3521",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3521",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1063": {
+    "id": "openEuler-SA-2021-1063",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1063",
+    "title": "An update for opensc is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nThe gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init.(CVE-2020-26571)\r\n\r\nThe TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher.(CVE-2020-26572)",
+    "cves": [
+      {
+        "id": "CVE-2020-26572",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26572",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2062": {
+    "id": "openEuler-SA-2022-2062",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2062",
+    "title": "An update for kafka is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nWhen Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.(CVE-2019-12399)\r\n\r\nA security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.(CVE-2022-34917)",
+    "cves": [
+      {
+        "id": "CVE-2022-34917",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34917",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1325": {
+    "id": "openEuler-SA-2021-1325",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1325",
+    "title": "An update for cpio is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "GNU cpio copies files into or out of a cpio or tar archive. The archive can be another file on the disk, a magnetic tape, or a pipe.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.(CVE-2021-38185)",
+    "cves": [
+      {
+        "id": "CVE-2021-38185",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38185",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1558": {
+    "id": "openEuler-SA-2024-1558",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1558",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\r\n\r\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\r\n\r\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\r\n\r\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\r\n\r\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.(CVE-2023-6129)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: RAPID).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20960)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20961)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20964)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20965)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20967)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20969)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20970)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20971)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20973)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20974)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20978)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20981)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20984)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20985)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20993)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20994)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20998)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).(CVE-2024-21000)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21009)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21013)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21047)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21055)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21060)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21061)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21062)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21069)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2024-21096)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21102)",
+    "cves": [
+      {
+        "id": "CVE-2024-21102",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21102",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1612": {
+    "id": "openEuler-SA-2024-1612",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1612",
+    "title": "An update for atril is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)",
+    "cves": [
+      {
+        "id": "CVE-2023-51698",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1501": {
+    "id": "openEuler-SA-2023-1501",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1501",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1312": {
+    "id": "openEuler-SA-2023-1312",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1312",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.(CVE-2023-32067)",
+    "cves": [
+      {
+        "id": "CVE-2023-32067",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1324": {
+    "id": "openEuler-SA-2021-1324",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1324",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack.(CVE-2021-34556)\r\n\r\nIn the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.(CVE-2021-35477)\r\n\r\nAn information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66 and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process’s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222 4.19.177 5.4.99 5.10.17 5.11(CVE-2021-21781)\r\n\r\nIn drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size.(CVE-2021-38160)",
+    "cves": [
+      {
+        "id": "CVE-2021-38160",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38160",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1460": {
+    "id": "openEuler-SA-2024-1460",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1460",
+    "title": "An update for libdwarf is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002)",
+    "cves": [
+      {
+        "id": "CVE-2024-2002",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1442": {
+    "id": "openEuler-SA-2023-1442",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1442",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick <=7.1.1, where heap-based buffer overflow was found in coders/tiff.c.\n\nReferences:\nhttps://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790(CVE-2023-3428)",
+    "cves": [
+      {
+        "id": "CVE-2023-3428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1662": {
+    "id": "openEuler-SA-2023-1662",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1662",
+    "title": "An update for skopeo is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)",
+    "cves": [
+      {
+        "id": "CVE-2023-24537",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2164": {
+    "id": "openEuler-SA-2022-2164",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2164",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse,forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.(CVE-2022-32749)\r\n\r\nImproper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.(CVE-2022-37392)\r\n\r\nImproper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.(CVE-2022-40743)",
+    "cves": [
+      {
+        "id": "CVE-2022-40743",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40743",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1021": {
+    "id": "openEuler-SA-2024-1021",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1021",
+    "title": "An update for espeak-ng is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The eSpeak NG is a compact open source software text-to-speech synthesizer for Linux, Windows, Android and other operating systems. It supports 70 languages and accents. It is based on the eSpeak engine created by Jonathan Duddington.\r\n\r\nSecurity Fix(es):\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a buffer-overflow via the function SetUpPhonemeTable at synthdata.c.(CVE-2023-49990)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow via the function CountVowelPosition at synthdata.c.(CVE-2023-49991)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow via the function RemoveEnding at dictionary.c.(CVE-2023-49992)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the function ReadClause at readclause.c.(CVE-2023-49993)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Floating Point Exception via the function PeaksToHarmspect at wavegen.c.(CVE-2023-49994)",
+    "cves": [
+      {
+        "id": "CVE-2023-49994",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49994",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1226": {
+    "id": "openEuler-SA-2024-1226",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1226",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+    "cves": [
+      {
+        "id": "CVE-2024-0727",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1414": {
+    "id": "openEuler-SA-2021-1414",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1414",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "A Remote Desktop Protocol Implementation\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use /gt:http rather than /gt:rdp connections if possible or use a direct connection without a gateway.(CVE-2021-41159)",
+    "cves": [
+      {
+        "id": "CVE-2021-41159",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41159",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1034": {
+    "id": "openEuler-SA-2024-1034",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1034",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nopeneuler-linux-kernel-5.10.149-ext4_write_inline_data-kernel_bug-365020(CVE-2021-33631)\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\r\n\r\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.\r\n\r\n(CVE-2023-6817)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\r\n\r\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\r\n\r\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\r\n\r\n(CVE-2023-6931)\r\n\r\nA use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\r\n\r\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\r\n\r\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.\r\n\r\n(CVE-2023-6932)",
+    "cves": [
+      {
+        "id": "CVE-2023-6932",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1163": {
+    "id": "openEuler-SA-2021-1163",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1163",
+    "title": "An update for rpm is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The RPM Package Manager (RPM) is a powerful package management system capability as below\n-building computer software from source into easily distributable packages\n-installing, updating and uninstalling packaged software\n-querying detailed information about the packaged software, whether installed or not\n-verifying integrity of packaged software and resulting software installation\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.(CVE-2021-20271)",
+    "cves": [
+      {
+        "id": "CVE-2021-20271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20271",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1593": {
+    "id": "openEuler-SA-2022-1593",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1593",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and as result potentially privilege escalation too.(CVE-2022-1011)",
+    "cves": [
+      {
+        "id": "CVE-2022-1011",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1011",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1437": {
+    "id": "openEuler-SA-2024-1437",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1437",
+    "title": "An update for pcp is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "PCP provides a range of services that may be used to monitor and manage system performance. These services are distributed and scalable to accommodate the most complex system configurations and performance problems.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.(CVE-2024-3019)",
+    "cves": [
+      {
+        "id": "CVE-2024-3019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3019",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1435": {
+    "id": "openEuler-SA-2024-1435",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1435",
+    "title": "An update for pcp is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "PCP provides a range of services that may be used to monitor and manage system performance. These services are distributed and scalable to accommodate the most complex system configurations and performance problems.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.(CVE-2024-3019)",
+    "cves": [
+      {
+        "id": "CVE-2024-3019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3019",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1214": {
+    "id": "openEuler-SA-2024-1214",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1214",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.(CVE-2022-3479)",
+    "cves": [
+      {
+        "id": "CVE-2022-3479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1690": {
+    "id": "openEuler-SA-2024-1690",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1690",
+    "title": "An update for uriparser is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The package is a strictly RFC 3986 compliant URI parsing library written in C89(\"ANSI C\"). uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party wrappers. uriparser is packaged in major distributions.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.(CVE-2024-34402)",
+    "cves": [
+      {
+        "id": "CVE-2024-34402",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34402",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1959": {
+    "id": "openEuler-SA-2022-1959",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1959",
+    "title": "An update for libtpms is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A library providing TPM functionality for VMs. Targeted for integration into Qemu.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3505)",
+    "cves": [
+      {
+        "id": "CVE-2021-3505",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3505",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1725": {
+    "id": "openEuler-SA-2022-1725",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1725",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\nIn lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-188677105References: Upstream kernel(CVE-2022-20132)\n\r\nIn lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174846563References: Upstream kernel(CVE-2022-20154)\n\nA use-after-free vulnerability was found in the Linux kernel s Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue.(CVE-2022-1966)\n\nThe Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.(CVE-2022-32296)\n\nAn issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers. (CVE-2022-32981)\n\nnet/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.(CVE-2022-32250)",
+    "cves": [
+      {
+        "id": "CVE-2022-32250",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32250",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1055": {
+    "id": "openEuler-SA-2024-1055",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1055",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.(CVE-2023-46751)",
+    "cves": [
+      {
+        "id": "CVE-2023-46751",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46751",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1503": {
+    "id": "openEuler-SA-2024-1503",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1503",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1742": {
+    "id": "openEuler-SA-2023-1742",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1742",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"(CVE-2023-45322)",
+    "cves": [
+      {
+        "id": "CVE-2023-45322",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45322",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1764": {
+    "id": "openEuler-SA-2023-1764",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1764",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.(CVE-2023-39192)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.(CVE-2023-42754)\r\n\r\nAn issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.(CVE-2023-45871)",
+    "cves": [
+      {
+        "id": "CVE-2023-45871",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1351": {
+    "id": "openEuler-SA-2023-1351",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1351",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel image for RaspberryPi.\n\nSecurity Fix(es):\n\nAn issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.(CVE-2023-33288)",
+    "cves": [
+      {
+        "id": "CVE-2023-33288",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33288",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1210": {
+    "id": "openEuler-SA-2024-1210",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1210",
+    "title": "An update for unbound is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most platforms such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows. Unbound is a totally free, open source software under the BSD license. It doesn't make custom builds or provide specific features to paying customers only.\r\n\r\nSecurity Fix(es):\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nThe Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.(CVE-2023-50868)\r\n\r\nA vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.(CVE-2024-1488)",
+    "cves": [
+      {
+        "id": "CVE-2024-1488",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1488",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1283": {
+    "id": "openEuler-SA-2024-1283",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1283",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix use-after-free in shinker's callback\r\n\r\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\r\n\r\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\r\n\r\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n  Read of size 8 at addr ffff356ed50e50f0 by task bash/478\r\n\r\n  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   zap_page_range_single+0x470/0x4b8\n   binder_alloc_free_page+0x608/0xadc\n   __list_lru_walk_one+0x130/0x3b0\n   list_lru_walk_node+0xc4/0x22c\n   binder_shrink_scan+0x108/0x1dc\n   shrinker_debugfs_scan_write+0x2b4/0x500\n   full_proxy_write+0xd4/0x140\n   vfs_write+0x1ac/0x758\n   ksys_write+0xf0/0x1dc\n   __arm64_sys_write+0x6c/0x9c\r\n\r\n  Allocated by task 492:\n   kmem_cache_alloc+0x130/0x368\n   vm_area_alloc+0x2c/0x190\n   mmap_region+0x258/0x18bc\n   do_mmap+0x694/0xa60\n   vm_mmap_pgoff+0x170/0x29c\n   ksys_mmap_pgoff+0x290/0x3a0\n   __arm64_sys_mmap+0xcc/0x144\r\n\r\n  Freed by task 491:\n   kmem_cache_free+0x17c/0x3c8\n   vm_area_free_rcu_cb+0x74/0x98\n   rcu_core+0xa38/0x26d4\n   rcu_core_si+0x10/0x1c\n   __do_softirq+0x2fc/0xd24\r\n\r\n  Last potentially related work creation:\n   __call_rcu_common.constprop.0+0x6c/0xba0\n   call_rcu+0x10/0x1c\n   vm_area_free+0x18/0x24\n   remove_vma+0xe4/0x118\n   do_vmi_align_munmap.isra.0+0x718/0xb5c\n   do_vmi_munmap+0xdc/0x1fc\n   __vm_munmap+0x10c/0x278\n   __arm64_sys_munmap+0x58/0x7c\r\n\r\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.(CVE-2023-52438)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio: Fix use-after-free in uio_open\r\n\r\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\r\n\r\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\r\n\r\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.(CVE-2023-52439)\r\n\r\nNULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\r\n\r\nThis issue affects Linux kernel: v2.6.12-rc2.\r\n\r\n(CVE-2024-22099)\r\n\r\nIn btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.(CVE-2024-23850)\r\n\r\ncopy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.(CVE-2024-23851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between async notify and socket close\r\n\r\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\r\n\r\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\r\n\r\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.(CVE-2024-26583)",
+    "cves": [
+      {
+        "id": "CVE-2024-26583",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1239": {
+    "id": "openEuler-SA-2024-1239",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1239",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\r\n\r\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)",
+    "cves": [
+      {
+        "id": "CVE-2024-26595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1390": {
+    "id": "openEuler-SA-2023-1390",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1390",
+    "title": "An update for perl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A highly capable, feature-rich programming language.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486)",
+    "cves": [
+      {
+        "id": "CVE-2023-31486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1208": {
+    "id": "openEuler-SA-2023-1208",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1208",
+    "title": "An update for hdf5 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5T_copy in H5T.c.(CVE-2018-14031)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in H5L_extern_query at H5Lexternal.c.(CVE-2018-16438)",
+    "cves": [
+      {
+        "id": "CVE-2018-16438",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16438",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1807": {
+    "id": "openEuler-SA-2024-1807",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1807",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nadts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.(CVE-2021-38171)\r\n\r\nAn issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.(CVE-2022-3109)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the set_encoder_id function in /fftools/ffmpeg_enc.c component.(CVE-2023-50010)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.(CVE-2023-51793)",
+    "cves": [
+      {
+        "id": "CVE-2023-51793",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51793",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1700": {
+    "id": "openEuler-SA-2024-1700",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1700",
+    "title": "An update for grub2 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.(CVE-2021-46848)",
+    "cves": [
+      {
+        "id": "CVE-2021-46848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1978": {
+    "id": "openEuler-SA-2022-1978",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1978",
+    "title": "An update for uboot-tools is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package includes the mkimage program, which allows generation of U-Boot images in various formats, and the fw_printenv and fw_setenv programs to read and modify U-Boot's environment.\r\n\r\nSecurity Fix(es):\r\n\r\nnfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.(CVE-2022-30767)",
+    "cves": [
+      {
+        "id": "CVE-2022-30767",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30767",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1116": {
+    "id": "openEuler-SA-2024-1116",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1116",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.(CVE-2023-40547)\r\n\r\nA flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)",
+    "cves": [
+      {
+        "id": "CVE-2023-40551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1859": {
+    "id": "openEuler-SA-2023-1859",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1859",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.(CVE-2023-39197)\r\n\r\nA null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.(CVE-2023-6176)",
+    "cves": [
+      {
+        "id": "CVE-2023-6176",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1624": {
+    "id": "openEuler-SA-2022-1624",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1624",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nBusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record s value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal s colors.(CVE-2022-28391)",
+    "cves": [
+      {
+        "id": "CVE-2022-28391",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1611": {
+    "id": "openEuler-SA-2022-1611",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1611",
+    "title": "An update for flac is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "FLAC stands for Free Lossless Audio Codec, an audio format similar to MP3, but lossless, meaning that audio is compressed in FLAC without any loss in quality.\r\n\r\nSecurity Fix(es):\r\n\r\nIn append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174302683(CVE-2021-0561)",
+    "cves": [
+      {
+        "id": "CVE-2021-0561",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0561",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1506": {
+    "id": "openEuler-SA-2022-1506",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1506",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Curl is used in command lines or scripts to transfer data.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.(CVE-2021-22923)\r\n\r\nWhen curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.(CVE-2021-22922)",
+    "cves": [
+      {
+        "id": "CVE-2021-22922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1469": {
+    "id": "openEuler-SA-2023-1469",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1469",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21255)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\r\n\r\n(CVE-2023-3609)\r\n\r\nAn out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\r\n\r\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\r\n\r\n(CVE-2023-3611)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\r\n\r\n(CVE-2023-3776)\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2023-3812)",
+    "cves": [
+      {
+        "id": "CVE-2023-3812",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3812",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1413": {
+    "id": "openEuler-SA-2023-1413",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1413",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Container cluster management.\n\nSecurity Fix(es):\n\nUsers authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.(CVE-2022-3162)\n\nUsers may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.(CVE-2022-3294)\n\nA security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.(CVE-2023-2431)\n\nUsers may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n(CVE-2023-2727)\n\nUsers may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n(CVE-2023-2728)",
+    "cves": [
+      {
+        "id": "CVE-2023-2728",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2728",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1991": {
+    "id": "openEuler-SA-2022-1991",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1991",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.(CVE-2022-1184)\n\nAn issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.(CVE-2022-39842)\n\nA race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition(CVE-2022-3303)\n\nAn issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.(CVE-2022-2663)",
+    "cves": [
+      {
+        "id": "CVE-2022-2663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1263": {
+    "id": "openEuler-SA-2021-1263",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1263",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\\ do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. \\ %global extdesc \\\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.(CVE-2021-34428)",
+    "cves": [
+      {
+        "id": "CVE-2021-34428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1211": {
+    "id": "openEuler-SA-2021-1211",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1211",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nIn QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.(CVE-2020-15469)",
+    "cves": [
+      {
+        "id": "CVE-2020-15469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15469",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1978": {
+    "id": "openEuler-SA-2023-1978",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1978",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+    "cves": [
+      {
+        "id": "CVE-2023-51385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1399": {
+    "id": "openEuler-SA-2021-1399",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1399",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nMutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate.(CVE-2020-14154)",
+    "cves": [
+      {
+        "id": "CVE-2020-14154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14154",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1422": {
+    "id": "openEuler-SA-2021-1422",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1422",
+    "title": "An update for undertow is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Java web server using non-blocking IO\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)(CVE-2019-3888)\r\n\r\nA flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the \"Expect: 100-continue\" header may cause an out of memory error. This flaw may potentially lead to a denial of service.(CVE-2020-10705)\r\n\r\nA flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.(CVE-2020-10719)",
+    "cves": [
+      {
+        "id": "CVE-2020-10719",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10719",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1638": {
+    "id": "openEuler-SA-2024-1638",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1638",
+    "title": "An update for tpm2-tss is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system APIs which provides TPM2.0 specified APIs for applications to access TPM module through kernel TPM drivers.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the tpm2-tss package, where it was not checked to see if the magic number in the attest is equal to the TPM2_GENERATED_VALUE. This flaw allows an attacker to generate arbitrary quote data, which may not be detected by Fapi_VerifyQuote.(CVE-2024-29040)",
+    "cves": [
+      {
+        "id": "CVE-2024-29040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29040",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1445": {
+    "id": "openEuler-SA-2021-1445",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1445",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.(CVE-2020-24303)\r\n\r\nA signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-27846)\r\n\r\nThe snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.(CVE-2021-27358)\r\n\r\nOne of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.(CVE-2021-28148)\r\n\r\nThe team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn't supposed to have.(CVE-2021-28147)\r\n\r\nGrafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to True (vs default of False), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.(CVE-2021-39226)",
+    "cves": [
+      {
+        "id": "CVE-2021-39226",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1858": {
+    "id": "openEuler-SA-2023-1858",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1858",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.(CVE-2023-39197)",
+    "cves": [
+      {
+        "id": "CVE-2023-39197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39197",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1022": {
+    "id": "openEuler-SA-2021-1022",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1022",
+    "title": "An update for nasm is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "NASM is the Netwide Assembler, a free portable assembler for the Intel 80x86 microprocessor series, using primarily the traditional Intel instruction mnemonics and syntax. It also provides tools in RDOFF binary format, includes linker, library manager, loader, and information dump.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nIn Netwide Assembler (NASM) 2.15rc0, a heap-based buffer over-read occurs (via a crafted .asm file) in set_text_free when called from expand_one_smacro in asm/preproc.c.(CVE-2019-20352)\\r\\n\\r\\n\nIn Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.(CVE-2020-24241)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-24241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24241",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1887": {
+    "id": "openEuler-SA-2022-1887",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1887",
+    "title": "An update for python-reportlab is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The ReportLab Toolkit. An Open Source Python library for generating PDFs and graphics.\r\n\r\nSecurity Fix(es):\r\n\r\nAll versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src=\"http://127.0.0.1:5000\" valign=\"top\"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF(CVE-2020-28463)",
+    "cves": [
+      {
+        "id": "CVE-2020-28463",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28463",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1550": {
+    "id": "openEuler-SA-2022-1550",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1550",
+    "title": "An update for evince is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Evince is a document viewer for multiple document formats. The goal of evince is to replace the multiple document viewers that exist on the GNOME Desktop with a single simple application. Evince is specifically designed to support the file following formats: PDF, Postscript, djvu, tiff, dvi, XPS, SyncTex support with gedit, comics books (cbr,cbz,cb7 and cbt).\r\n\r\nSecurity Fix(es):\r\n\r\nThe tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.(CVE-2019-11459)",
+    "cves": [
+      {
+        "id": "CVE-2019-11459",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11459",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1391": {
+    "id": "openEuler-SA-2024-1391",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1391",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nAn off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2024-1441)\r\n\r\nA flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2024-2494)",
+    "cves": [
+      {
+        "id": "CVE-2024-2494",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2494",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1841": {
+    "id": "openEuler-SA-2023-1841",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1841",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.(CVE-2022-45884)\r\n\r\nRejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-35823. Reason: This candidate is a reservation duplicate of CVE-2023-35823. Notes: All CVE users should reference CVE-2023-35823 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2023-3327)\r\n\r\nA race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.(CVE-2023-39198)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\r\n\r\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\r\n\r\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\r\n\r\n(CVE-2023-4623)",
+    "cves": [
+      {
+        "id": "CVE-2023-4623",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4623",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1016": {
+    "id": "openEuler-SA-2021-1016",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1016",
+    "title": "An update for tpm2-tss is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system APIs which provides TPM2.0 specified APIs for applications to access TPM module through kernel TPM drivers.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nNo description is available for this CVE.(CVE-2020-24455)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-24455",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24455",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1254": {
+    "id": "openEuler-SA-2021-1254",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1254",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nThe cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading.(CVE-2021-3588)",
+    "cves": [
+      {
+        "id": "CVE-2021-3588",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3588",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1363": {
+    "id": "openEuler-SA-2023-1363",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1363",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark(CVE-2023-0667)",
+    "cves": [
+      {
+        "id": "CVE-2023-0667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0667",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1626": {
+    "id": "openEuler-SA-2023-1626",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1626",
+    "title": "An update for nasm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "NASM is the Netwide Assembler, a free portable assembler for the Intel 80x86 microprocessor series, using primarily the traditional Intel instruction mnemonics and syntax. It also provides tools in RDOFF binary format, includes linker, library manager, loader, and information dump.\r\n\r\nSecurity Fix(es):\r\n\r\nA Segmentation Fault issue discovered in in ieee_segment function in outieee.c in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service via crafted assembly file.(CVE-2020-21528)",
+    "cves": [
+      {
+        "id": "CVE-2020-21528",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21528",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1435": {
+    "id": "openEuler-SA-2021-1435",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1435",
+    "title": "An update for apache-mina is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Apache MINA is a network application framework which helps users develop high performance and high scalability network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.(CVE-2021-41973)",
+    "cves": [
+      {
+        "id": "CVE-2021-41973",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41973",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1125": {
+    "id": "openEuler-SA-2021-1125",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1125",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.(CVE-2021-23336)",
+    "cves": [
+      {
+        "id": "CVE-2021-23336",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23336",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1421": {
+    "id": "openEuler-SA-2021-1421",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1421",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3903)",
+    "cves": [
+      {
+        "id": "CVE-2021-3903",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3903",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1960": {
+    "id": "openEuler-SA-2023-1960",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1960",
+    "title": "An update for curl is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n(CVE-2023-46219)",
+    "cves": [
+      {
+        "id": "CVE-2023-46219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46219",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1138": {
+    "id": "openEuler-SA-2024-1138",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1138",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)",
+    "cves": [
+      {
+        "id": "CVE-2023-0465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1295": {
+    "id": "openEuler-SA-2024-1295",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1295",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nNon-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2023-38575)\r\n\r\nProtection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.(CVE-2023-39368)",
+    "cves": [
+      {
+        "id": "CVE-2023-39368",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39368",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2150": {
+    "id": "openEuler-SA-2022-2150",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2150",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21626)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21624)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21619)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21618)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21628)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-39399)",
+    "cves": [
+      {
+        "id": "CVE-2022-39399",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39399",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1457": {
+    "id": "openEuler-SA-2024-1457",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1457",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0002.html(CVE-2023-37328)",
+    "cves": [
+      {
+        "id": "CVE-2023-37328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1537": {
+    "id": "openEuler-SA-2024-1537",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1537",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 6 through 6.6 was discovered to contain a NULL pointer dereference via the function QXcbConnection::initializeAllAtoms(). NOTE: this is disputed because it is not expected that an X application should continue to run when there is arbitrary anomalous behavior from the X server.(CVE-2023-45935)",
+    "cves": [
+      {
+        "id": "CVE-2023-45935",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45935",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1801": {
+    "id": "openEuler-SA-2024-1801",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1801",
+    "title": "An update for python-pip is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        23.3.1 Release:        1 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:          Source1:        pip.loongarch.conf BuildArch:      noarch Patch1:         remove-existing-dist-only-if-path-conflicts. Patch6000:      dummy-certifi.patch\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.(CVE-2024-3651)",
+    "cves": [
+      {
+        "id": "CVE-2024-3651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1857": {
+    "id": "openEuler-SA-2024-1857",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1857",
+    "title": "An update for rapidjson is now available for openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "RapidJSON as a fast JSON parser which generator for c++. It`s inspired by RapidXML. It`s supports both SAX & DOM style API. It`s small but complete. It`s fast, It`s preformance can be comparabel to strlen(). It`s self-contained. It doesn`t depend on external libraries such as BOOST. It`s Unicode and memory friendly, each JSON valude occupies exactly 16/20 bytes for most 32/64-bit machines. It`s suport UTF-8 UTF-16 UTF-32 (LE & BE).\r\n\r\nSecurity Fix(es):\r\n\r\nTencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege.(CVE-2024-38517)",
+    "cves": [
+      {
+        "id": "CVE-2024-38517",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38517",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1582": {
+    "id": "openEuler-SA-2023-1582",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1582",
+    "title": "An update for librsvg2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "An SVG library based on cairo.\r\n\r\nSecurity Fix(es):\r\n\r\nA directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=\".?../../../../../../../../../../etc/passwd\" in an xi:include element.(CVE-2023-38633)",
+    "cves": [
+      {
+        "id": "CVE-2023-38633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1164": {
+    "id": "openEuler-SA-2024-1164",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1164",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680)",
+    "cves": [
+      {
+        "id": "CVE-2024-24680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1253": {
+    "id": "openEuler-SA-2024-1253",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1253",
+    "title": "An update for grub2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.(CVE-2024-1048)",
+    "cves": [
+      {
+        "id": "CVE-2024-1048",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1048",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1457": {
+    "id": "openEuler-SA-2021-1457",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1457",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is a highly configurable text editor for efficiently creating and changing any kind of text.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3984)",
+    "cves": [
+      {
+        "id": "CVE-2021-3984",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3984",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1554": {
+    "id": "openEuler-SA-2023-1554",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1554",
+    "title": "An update for microcode_ctl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nIncorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2022-33196)\r\n\r\nImproper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-38090)\r\n\r\nInformation exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982)",
+    "cves": [
+      {
+        "id": "CVE-2022-40982",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1199": {
+    "id": "openEuler-SA-2021-1199",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1199",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2193)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2174)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2179)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2305)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2171)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2169)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).(CVE-2021-2307)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2180)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2201)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2196)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2170)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2194)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2172)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-2308)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-2304)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2300)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2230)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2298)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 1.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-2232)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).(CVE-2021-2226)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2203)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2217)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2208)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2164)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2278)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2215)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2293)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2299)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2212)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).(CVE-2021-2162)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2146)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2166)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-2301)",
+    "cves": [
+      {
+        "id": "CVE-2021-2301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2301",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1040": {
+    "id": "openEuler-SA-2021-1040",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1040",
+    "title": "An update for audiofile is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Audio File Library is a C-based library for reading and writing audio files in many common formats.  The Audio File Library provides a uniform API which abstracts away details of file formats and data formats. The same calls for opening a file, accessing and manipulating audio metadata (e.g. sample rate, sample format, textual information, MIDI parameters), and reading and writing sample data will work with any supported audio file format.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file.(CVE-2017-6828)\r\n\r\nInteger overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6839)\r\n\r\nInteger overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6838)\r\n\r\nHeap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6831)\r\n\r\nThe decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6829)",
+    "cves": [
+      {
+        "id": "CVE-2017-6829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6829",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2006": {
+    "id": "openEuler-SA-2022-2006",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2006",
+    "title": "An update for libexif is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774(CVE-2019-9278)\r\n\r\nIn exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132(CVE-2020-0093)\r\n\r\nIn exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076(CVE-2020-0181)\r\n\r\nIn exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941(CVE-2020-0198)",
+    "cves": [
+      {
+        "id": "CVE-2020-0198",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0198",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1176": {
+    "id": "openEuler-SA-2023-1176",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1176",
+    "title": "An update for future is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This package intends to provides a compatibility layer for Python between its two version release. The future and past packages are both provides for backports and forwards, in which you are able to use a single, clean codebase to run under Python3 environmets easily. With also providing futurize and pasteurize scripts, you can convert you Python code to support both version.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.(CVE-2022-40899)",
+    "cves": [
+      {
+        "id": "CVE-2022-40899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1466": {
+    "id": "openEuler-SA-2021-1466",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1466",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.(CVE-2021-28041)",
+    "cves": [
+      {
+        "id": "CVE-2021-28041",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28041",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1493": {
+    "id": "openEuler-SA-2023-1493",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1493",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.(CVE-2023-3141)\r\n\r\nAn out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.(CVE-2023-3268)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.(CVE-2023-35829)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.(CVE-2023-38427)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.(CVE-2023-38429)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.(CVE-2023-38430)\r\n\r\nA use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-4004)",
+    "cves": [
+      {
+        "id": "CVE-2023-4004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1512": {
+    "id": "openEuler-SA-2023-1512",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1512",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.(CVE-2023-3772)\n\nA use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.(CVE-2023-3863)\n\nA use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4133)\n\nA use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2023-4147)",
+    "cves": [
+      {
+        "id": "CVE-2023-4147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1904": {
+    "id": "openEuler-SA-2023-1904",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1904",
+    "title": "An update for python-wheel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A built-package format for Python. A wheel is a ZIP-format archive with a specially formatted filename and the .whl extension. It is designed to contain all the files for a PEP 376 compatible install in a way that is very close to the on-disk format.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.(CVE-2022-40898)",
+    "cves": [
+      {
+        "id": "CVE-2022-40898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40898",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1645": {
+    "id": "openEuler-SA-2022-1645",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1645",
+    "title": "An update for SDL2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device.\n\r\nSecurity Fix(es):\r\n\r\nSDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted .BMP file.(CVE-2020-14409)\nSDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c via a crafted .BMP file.(CVE-2020-14410)",
+    "cves": [
+      {
+        "id": "CVE-2020-14410",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14410",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1338": {
+    "id": "openEuler-SA-2021-1338",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1338",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap overflow in LzmaUefiDecompressGetInfo function in EDK II.(CVE-2021-28211)",
+    "cves": [
+      {
+        "id": "CVE-2021-28211",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28211",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1222": {
+    "id": "openEuler-SA-2021-1222",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1222",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nThis library allows to manipulate XML files. It includes supportto read, modify and write XML and HTML files. There is DTDs supportthis includes parsing and validation even with complex DtDs, eitherat parse time or later once the document has been modified. The outputcan be a simple SAX stream or an(CVE-2021-3541)",
+    "cves": [
+      {
+        "id": "CVE-2021-3541",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3541",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1865": {
+    "id": "openEuler-SA-2024-1865",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1865",
+    "title": "An update for python-pip is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        20.2.2 Release:        4 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:        https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch3:         remove-existing-dist-only-if-path-conflicts.patch Patch6000:      dummy-certifi.patch Patch6001:      backport-CVE-2021-3572.patch\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\r\n\r\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
+    "cves": [
+      {
+        "id": "CVE-2024-37891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1450": {
+    "id": "openEuler-SA-2021-1450",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1450",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is a highly configurable text editor for efficiently creating and changing any kind of text.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Use After Free.(CVE-2021-3974)\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow.(CVE-2021-3973)",
+    "cves": [
+      {
+        "id": "CVE-2021-3973",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3973",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1112": {
+    "id": "openEuler-SA-2024-1112",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1112",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343)\r\n\r\nIn the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.(CVE-2024-22705)",
+    "cves": [
+      {
+        "id": "CVE-2024-22705",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1806": {
+    "id": "openEuler-SA-2022-1806",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1806",
+    "title": "An update for libldb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "An extensible library that implements an LDAP like API to access remote LDAP servers, or use local tdb databases.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.(CVE-2022-32746)",
+    "cves": [
+      {
+        "id": "CVE-2022-32746",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32746",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1105": {
+    "id": "openEuler-SA-2024-1105",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1105",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.(CVE-2022-32148)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)",
+    "cves": [
+      {
+        "id": "CVE-2023-39325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1909": {
+    "id": "openEuler-SA-2022-1909",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1909",
+    "title": "An update for sqlite is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained,high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nSQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.(CVE-2022-35737)",
+    "cves": [
+      {
+        "id": "CVE-2022-35737",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1521": {
+    "id": "openEuler-SA-2024-1521",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1521",
+    "title": "An update for atril is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)",
+    "cves": [
+      {
+        "id": "CVE-2023-51698",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51698",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1543": {
+    "id": "openEuler-SA-2023-1543",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1543",
+    "title": "An update for yasm is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\n\nSecurity Fix(es):\n\nyasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975)",
+    "cves": [
+      {
+        "id": "CVE-2023-31975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1586": {
+    "id": "openEuler-SA-2023-1586",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1586",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-1206)\r\n\r\nA buffer overrun vulnerability was found in the netback driver in Xen due to an unusual split packet. This flaw allows an unprivileged guest to cause a denial of service (DoS) of the host by sending network packets to the backend, causing the backend to crash.(CVE-2023-34319)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.(CVE-2023-38432)\r\n\r\n(CVE-2023-3867)\r\n\r\nAn issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.(CVE-2023-40283)\r\n\r\nA flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.(CVE-2023-4194)",
+    "cves": [
+      {
+        "id": "CVE-2023-4194",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4194",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1114": {
+    "id": "openEuler-SA-2021-1114",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1114",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nNode.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.(CVE-2021-22883)\r\n\r\nNode.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.(CVE-2021-22884)",
+    "cves": [
+      {
+        "id": "CVE-2021-22884",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22884",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1672": {
+    "id": "openEuler-SA-2022-1672",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1672",
+    "title": "An update for rsyslog is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "RSYSLOG is the rocket-fast system for log processing.It offers high-performance, great security features and a modular design. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations.\r\n\r\nSecurity Fix(es):\r\n\r\nRsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules imtcp, imptcp, imgssapi, and imhttp are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module imdiag is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.(CVE-2022-24903)",
+    "cves": [
+      {
+        "id": "CVE-2022-24903",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24903",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1507": {
+    "id": "openEuler-SA-2024-1507",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1507",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.(CVE-2024-28835)",
+    "cves": [
+      {
+        "id": "CVE-2024-28835",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28835",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1396": {
+    "id": "openEuler-SA-2024-1396",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1396",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: intel-sdw-acpi: harden detection of controller\r\n\r\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\r\n\r\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.(CVE-2021-46926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: q6afe-clocks: fix reprobing of the driver\r\n\r\nQ6afe-clocks driver can get reprobed. For example if the APR services\nare restarted after the firmware crash. However currently Q6afe-clocks\ndriver will oops because hw.init will get cleared during first _probe\ncall. Rewrite the driver to fill the clock data at runtime rather than\nusing big static array of clocks.(CVE-2021-47037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\napparmor: avoid crash when parsed profile name is empty\r\n\r\nWhen processing a packed profile in unpack_profile() described like\r\n\r\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\r\n\r\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\r\n\r\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\r\n\r\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\r\n\r\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\r\n\r\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2023-52443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\r\n\r\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\r\n\r\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n  process_one_work+0x174/0x3c8\n  worker_thread+0x2d0/0x3e8\n  kthread+0x104/0x110\r\n\r\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().(CVE-2023-52454)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: imx: fix tx statemachine deadlock\r\n\r\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\r\n\r\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.(CVE-2023-52456)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed\r\n\r\nReturning an error code from .remove() makes the driver core emit the\nlittle helpful error message:\r\n\r\n\tremove callback returned a non-zero value. This will be ignored.\r\n\r\nand then remove the device anyhow. So all resources that were not freed\nare leaked in this case. Skipping serial8250_unregister_port() has the\npotential to keep enough of the UART around to trigger a use-after-free.\r\n\r\nSo replace the error return (and with it the little helpful error\nmessage) by a more useful error message and continue to cleanup.(CVE-2023-52457)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: fix check for attempt to corrupt spilled pointer\r\n\r\nWhen register is spilled onto a stack as a 1/2/4-byte register, we set\nslot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,\ndepending on actual spill size). So to check if some stack slot has\nspilled register we need to consult slot_type[7], not slot_type[0].\r\n\r\nTo avoid the need to remember and double-check this in the future, just\nuse is_spilled_reg() helper.(CVE-2023-52462)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52467)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\r\n\r\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\r\n\r\nkv_parse_power_table\n  |-> kv_dpm_init\n        |-> kv_dpm_sw_init\n\t      |-> kv_dpm_fini\r\n\r\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/lbr: Filter vsyscall addresses\r\n\r\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\r\n\r\n    __insn_get_emulate_prefix()\n    insn_get_emulate_prefix()\n    insn_get_prefixes()\n    insn_get_opcode()\n    decode_branch_type()\n    get_branch_type()\n    intel_pmu_lbr_filter()\n    intel_pmu_handle_irq()\n    perf_event_nmi_handler()\r\n\r\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\r\n\r\n    peek_nbyte_next(insn_byte_t, insn, i)\r\n\r\nWithin this macro, this dereference occurs:\r\n\r\n    (insn)->next_byte\r\n\r\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\r\n\r\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.(CVE-2023-52476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix uaf in smb20_oplock_break_ack\r\n\r\ndrop reference after use opinfo.(CVE-2023-52479)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\r\n\r\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\r\n\r\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\r\n\r\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\r\n\r\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.(CVE-2023-52484)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between tx work scheduling and socket close\r\n\r\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.(CVE-2024-26585)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\r\n\r\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\r\n\r\nThe following prog is accepted:\r\n\r\n  func#0 @0\n  0: R1=ctx() R10=fp0\n  0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()\n  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()\n  2: (b7) r8 = 1024                     ; R8_w=1024\n  3: (37) r8 /= 1                       ; R8_w=scalar()\n  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,\n  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n  5: (0f) r7 += r8\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n  var_off=(0x0; 0x400))\n  6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()\n  7: (95) exit\r\n\r\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\r\n\r\n  BUG: unable to handle page fault for address: ffffc90014c80038\n  [...]\n  Call Trace:\n   <TASK>\n   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n   __bpf_prog_run include/linux/filter.h:651 [inline]\n   bpf_prog_run include/linux/filter.h:658 [inline]\n   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".(CVE-2024-26589)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: i801: Fix block process call transactions\r\n\r\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\r\n\r\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.(CVE-2024-26593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\r\n\r\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\r\n\r\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n                                                 ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\r\n\r\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\r\n\r\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\r\n\r\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\r\n\r\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\r\n\r\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\r\n\r\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n   fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n   the buffer required by xrstor is accessible.\r\n\r\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\r\n\r\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\r\n\r\n[ dhansen: tweak subject / changelog ](CVE-2024-26603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: signal epoll threads of self-work\r\n\r\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\r\n\r\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.(CVE-2024-26606)",
+    "cves": [
+      {
+        "id": "CVE-2024-26606",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1229": {
+    "id": "openEuler-SA-2023-1229",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1229",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.(CVE-2023-1582)\r\n\r\nA use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea(CVE-2023-1611)\r\n\r\nA flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.(CVE-2021-3923)\r\n\r\nA flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.(CVE-2023-1637)\r\n\r\nA flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1670)\r\n\r\nA use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.(CVE-2023-1838)\r\n\r\nA use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.(CVE-2023-1855)\r\n\r\nA use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.(CVE-2023-1859)",
+    "cves": [
+      {
+        "id": "CVE-2023-1859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1071": {
+    "id": "openEuler-SA-2021-1071",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1071",
+    "title": "An update for python-sqlalchemy is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. It contains a powerful mapping layer that users can choose to work as automatically or as manually, determining relationships based on foreign keys or to bridge the gap between database and domain by letting you define the join conditions explicitly.\n\r\nSecurity Fix(es):\n\r\nSQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.(CVE-2019-7164)",
+    "cves": [
+      {
+        "id": "CVE-2019-7164",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7164",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1369": {
+    "id": "openEuler-SA-2021-1369",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1369",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nA carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).(CVE-2021-36160)\r\n\r\nMalformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.(CVE-2021-34798)\r\n\r\nA crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.(CVE-2021-40438)",
+    "cves": [
+      {
+        "id": "CVE-2021-40438",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40438",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1395": {
+    "id": "openEuler-SA-2021-1395",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1395",
+    "title": "An update for transfig is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The transfig utility creates a makefile which translates FIG (created by xfig) or PIC figures into a specified LaTeX graphics language (for example, PostScript(TM)).  Transfig is used to create TeX documents which are portable (i.e., they can be printed in a wide variety of environments).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in fig2dev before 3.2.8.. A NULL pointer dereference exists in the function compute_closed_spline() located in trans_spline.c. It allows an attacker to cause Denial of Service. The fixed version of fig2dev is 3.2.8.(CVE-2021-32280)",
+    "cves": [
+      {
+        "id": "CVE-2021-32280",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32280",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1135": {
+    "id": "openEuler-SA-2024-1135",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1135",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)",
+    "cves": [
+      {
+        "id": "CVE-2023-0465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1796": {
+    "id": "openEuler-SA-2023-1796",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1796",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.\n(CVE-2023-46246)",
+    "cves": [
+      {
+        "id": "CVE-2023-46246",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46246",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2032": {
+    "id": "openEuler-SA-2022-2032",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2032",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.(CVE-2022-3567)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.(CVE-2022-3649)\n\nA flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.(CVE-2022-3586)",
+    "cves": [
+      {
+        "id": "CVE-2022-3586",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1892": {
+    "id": "openEuler-SA-2023-1892",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1892",
+    "title": "An update for gimp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "GIMP is a cross-platform image editor available for GNU/Linux, OS X, Windows and more operating systems. It is free software, you can change its source code and distribute your changes. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.\r\n\r\nSecurity Fix(es):\r\n\r\nA parsing vulnerability was found in the GNU Image Manipulation Program (GIMP). This flaw allows an unauthenticated, remote attacker to trick a GIMP user into opening a malicious PSD file, possibly enabling the execution of unauthorized code within the GIMP process.(CVE-2023-44442)\r\n\r\nA parsing vulnerability was found in the GNU Image Manipulation Program (GIMP). This flaw allows an unauthenticated, remote attacker to trick a GIMP user into opening a malicious PSP file, possibly enabling the execution of unauthorized code within the GIMP process.(CVE-2023-44444)",
+    "cves": [
+      {
+        "id": "CVE-2023-44444",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44444",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1691": {
+    "id": "openEuler-SA-2023-1691",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1691",
+    "title": "An update for exempi is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Exempi is an implementation of XMP. Version 2.x is based on Adobe XMP SDK and released under a BSD-style license like Adobe's.\r\n\r\nSecurity Fix(es):\r\n\r\nXMP Toolkit version 2020.1 (and earlier) is affected by a null pointer dereference vulnerability that could result in leaking data from certain memory locations and causing a local denial of service in the context of the current user. User interaction is required to exploit this vulnerability in that the victim will need to open a specially crafted MXF file.(CVE-2021-40732)",
+    "cves": [
+      {
+        "id": "CVE-2021-40732",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40732",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1137": {
+    "id": "openEuler-SA-2021-1137",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1137",
+    "title": "An update for hibernate4 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Hibernate is a powerful, ultra-high performance object/relational persistence and query service for Java. Hibernate lets you develop persistent objects following common Java idiom - including association, inheritance, polymorphism, composition and the Java collections framework. Extremely fine-grained, richly typed object models are possible. The Hibernate Query Language, designed as a \"minimal\" object-oriented extension to SQL, provides an elegant bridge between the object and relational worlds. Hibernate is now the most popular ORM solution for Java.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900)",
+    "cves": [
+      {
+        "id": "CVE-2019-14900",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14900",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1059": {
+    "id": "openEuler-SA-2021-1059",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1059",
+    "title": "An update for nss is now available for openEuler-20.03-LTS",
+    "severity": "Critical",
+    "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.(CVE-2019-17006)\r\n\r\nIn Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.(CVE-2019-17007)\n\nA use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS.(CVE-2019-11756)\n\nThe file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress..(CVE-2020-12402)",
+    "cves": [
+      {
+        "id": "CVE-2019-12402",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12402",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1606": {
+    "id": "openEuler-SA-2022-1606",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1606",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\ncmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.(CVE-2022-23773)",
+    "cves": [
+      {
+        "id": "CVE-2022-23773",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23773",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1758": {
+    "id": "openEuler-SA-2022-1758",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1758",
+    "title": "An update for mod_fcgid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mod_fcgid is an Apache module providing a FastCGI interface. It's an alternative to mod_fastcgi that is specifically tuned for the dynamic FastCGI configuration used on DreamHost servers.\r\n\r\nSecurity Fix(es):\r\n\r\nA security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.(CVE-2016-1000104)",
+    "cves": [
+      {
+        "id": "CVE-2016-1000104",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000104",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1175": {
+    "id": "openEuler-SA-2024-1175",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1175",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nTransmit requests in Xen's virtual network protocol can consist of\nmultiple parts.  While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all.  Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments.  Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n(CVE-2023-46838)\r\n\r\nA flaw in the routing table size was found in the ICMPv6 handling of \"Packet Too Big\". The size of the routing table is regulated by periodic garbage collection. However, with \"Packet Too Big Messages\" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-52340)\r\n\r\nA denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.(CVE-2024-0639)\r\n\r\nA null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2024-0841)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\r\n\r\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\r\n\r\n(CVE-2024-1086)\r\n\r\nIn rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849)",
+    "cves": [
+      {
+        "id": "CVE-2024-23849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1848": {
+    "id": "openEuler-SA-2022-1848",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1848",
+    "title": "An update for cfitsio is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3849)\r\n\r\nIn the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3848)",
+    "cves": [
+      {
+        "id": "CVE-2018-3848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3848",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1834": {
+    "id": "openEuler-SA-2023-1834",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1834",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21509)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.38 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21515)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21517)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21522)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21525)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21526)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21527)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21528)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21529)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21530)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21531)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21534)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21537)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21538)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L).(CVE-2022-21539)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21547)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21553)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21569)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.39 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21592)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21594)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21599)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21604)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21608)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21611)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21617)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21625)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21632)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21633)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).(CVE-2022-21635)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21637)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21638)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21640)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21641)\r\n\r\nWhen doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.(CVE-2022-32221)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39400)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39408)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39410)\r\n\r\nA vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.(CVE-2022-43551)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21836)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21863)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21864)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21865)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21867)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21868)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21869)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21870)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21871)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21872)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21873)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21874)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H).(CVE-2023-21875)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21876)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21877)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21878)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21879)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21880)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21881)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21882)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21883)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21887)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21911)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 5.7.41 and prior and  8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21912)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21913)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21917)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21919)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21920)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21929)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21933)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21935)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21940)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21945)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21946)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21947)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21953)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21955)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling).  Supported versions that are affected are 5.7.40 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).  Supported versions that are affected are 5.7.41 and prior and  8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).(CVE-2023-21980)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22005)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 5.7.41 and prior and  8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22007)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.42 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22015)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.42 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22026)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.43 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22028)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22032)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22033)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22038)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22046)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22048)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).  Supported versions that are affected are 5.7.42 and prior and  8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).(CVE-2023-22053)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22056)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22058)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22059)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22064)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22065)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22066)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22068)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22070)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22078)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22079)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22084)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22092)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22097)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22103)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22104)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22110)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22111)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22112)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22113)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22114)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22115)",
+    "cves": [
+      {
+        "id": "CVE-2023-22115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1856": {
+    "id": "openEuler-SA-2022-1856",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1856",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.(CVE-2022-31779)",
+    "cves": [
+      {
+        "id": "CVE-2022-31779",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31779",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2122": {
+    "id": "openEuler-SA-2022-2122",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2122",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \r\n\r\nSecurity Fix(es):\r\n\r\nExisting CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.(CVE-2021-38578)",
+    "cves": [
+      {
+        "id": "CVE-2021-38578",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38578",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1443": {
+    "id": "openEuler-SA-2023-1443",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1443",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcurl can be told to save cookie, HSTS and/or alt-svc data to files. When\ndoing this, it called `stat()` followed by `fopen()` in a way that made it\nvulnerable to a TOCTOU race condition problem.\r\n\r\nBy exploiting this flaw, an attacker could trick the victim to create or\noverwrite protected files holding this data in ways it was not intended to.\n(CVE-2023-32001)",
+    "cves": [
+      {
+        "id": "CVE-2023-32001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32001",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1111": {
+    "id": "openEuler-SA-2021-1111",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1111",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.(CVE-2021-26931)\r\n\r\nAn issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c.(CVE-2021-26930)\r\n\r\nAn issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.(CVE-2021-26932)\r\n\r\nAn issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.(CVE-2021-28038)\r\n\r\nAn issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.(CVE-2021-27363)\r\n\r\nAn issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.(CVE-2021-27364)\r\n\r\nAn issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.(CVE-2021-27365)",
+    "cves": [
+      {
+        "id": "CVE-2021-27365",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27365",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1039": {
+    "id": "openEuler-SA-2023-1039",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1039",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in the Linux kernel?s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-3424)\r\n\r\nA flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.(CVE-2022-4662)\r\n\r\nAn issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.(CVE-2022-47946)\n\nA flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.(CVE-2022-4842)",
+    "cves": [
+      {
+        "id": "CVE-2022-4842",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4842",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1433": {
+    "id": "openEuler-SA-2024-1433",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1433",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overread flaw was found in rubygem StringIO. The ungetbyte and ungetc methods on a StringIO object can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.(CVE-2024-27280)\r\n\r\nA flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution.(CVE-2024-27281)",
+    "cves": [
+      {
+        "id": "CVE-2024-27281",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27281",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1095": {
+    "id": "openEuler-SA-2021-1095",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1095",
+    "title": "An update for grub2 is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn. Briefly, a boot loader is the first software program that runs when a computer starts. It is responsible for loading and transferring control to the operating system kernel software (such as the Hurd or Linux). The kernel, in turn, initializes the rest of the operating system (e.g. GNU).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25632)\r\n\r\nA flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25647)\r\n\r\nA flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-27749)\r\n\r\nA flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20225)\r\n\r\nA flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20233)\n\nA flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.(CVE-2020-14372)\n\nA flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-27779)",
+    "cves": [
+      {
+        "id": "CVE-2020-27779",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27779",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1078": {
+    "id": "openEuler-SA-2024-1078",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1078",
+    "title": "An update for libexif is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags.\r\n\r\nSecurity Fix(es):\r\n\r\nIn exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-159625731(CVE-2020-0452)",
+    "cves": [
+      {
+        "id": "CVE-2020-0452",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0452",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1468": {
+    "id": "openEuler-SA-2021-1468",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1468",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Xorg server common files.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handler for the CompositeGlyphs request of the Render extension does not properly validate the request length leading to out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.(CVE-2021-4008)\r\n\r\nA security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handler for the CreatePointerBarrier request of the XFixes extension does not properly validate the request length leading to out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.(CVE-2021-4009)\r\n\r\nA security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.(CVE-2021-4010)\r\n\r\nA security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handlers for the RecordCreateContext and RecordRegisterClients requests of the Record extension do not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.(CVE-2021-4011)",
+    "cves": [
+      {
+        "id": "CVE-2021-4011",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4011",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1471": {
+    "id": "openEuler-SA-2024-1471",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1471",
+    "title": "An update for jose is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "José is a C-language implementation of the Javascript Object Signing and Encryption standards. José provides a command-line utility which encompasses most of the JOSE features. This allows for easy integration into your project and one-off scripts.\r\n\r\nSecurity Fix(es):\r\n\r\nlatchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.(CVE-2023-50967)",
+    "cves": [
+      {
+        "id": "CVE-2023-50967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50967",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1648": {
+    "id": "openEuler-SA-2023-1648",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1648",
+    "title": "An update for mdadm is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "mdadm is a tool for managing Linux Software RAID arrays. It can create, assemble, report on, and monitor arrays. It can also move spares between raid arrays when needed.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled resource consumption in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a priviledged user to potentially enable denial of service via local access.(CVE-2023-28938)",
+    "cves": [
+      {
+        "id": "CVE-2023-28938",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28938",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1327": {
+    "id": "openEuler-SA-2021-1327",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1327",
+    "title": "An update for leptonica is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The library supports many operations that are useful on  * Document images  * Natural images Fundamental image processing and image analysis operations  * Rasterop (aka bitblt)  * Affine transforms (scaling, translation, rotation, shear)    on images of arbitrary pixel depth  * Projective and bi-linear transforms  * Binary and gray scale morphology, rank order filters, and    convolution  * Seed-fill and connected components  * Image transformations with changes in pixel depth, both at    the same scale and with scale change  * Pixelwise masking, blending, enhancement, arithmetic ops,    etc.\r\n\r\nSecurity Fix(es):\r\n\r\nLeptonica before 1.80.0 allows a denial of service (application crash) via an incorrect left shift in pixConvert2To8 in pixconv.c.(CVE-2020-36277)\r\n\r\nLeptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c.(CVE-2020-36278)\r\n\r\nLeptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c.(CVE-2020-36281)\r\n\r\nLeptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c.(CVE-2020-36279)\r\n\r\nLeptonica before 1.80.0 allows a heap-based buffer over-read in pixReadFromTiffStream, related to tiffio.c.(CVE-2020-36280)",
+    "cves": [
+      {
+        "id": "CVE-2020-36280",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36280",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1469": {
+    "id": "openEuler-SA-2021-1469",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1469",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA read-after-free memory flaw was found in the Linux kernel s garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.(CVE-2021-4083)",
+    "cves": [
+      {
+        "id": "CVE-2021-4083",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4083",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1611": {
+    "id": "openEuler-SA-2024-1611",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1611",
+    "title": "An update for ruby is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.(CVE-2024-27282)",
+    "cves": [
+      {
+        "id": "CVE-2024-27282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1478": {
+    "id": "openEuler-SA-2023-1478",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1478",
+    "title": "An update for python-pygments is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.(CVE-2022-40896)",
+    "cves": [
+      {
+        "id": "CVE-2022-40896",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40896",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1314": {
+    "id": "openEuler-SA-2021-1314",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1314",
+    "title": "An update for fetchmail is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6, and IPSEC) for retrieval. Then Fetchmail forwards the mail through SMTP so you can read it through your favorite mail client. Install fetchmail if you need to retrieve mail over SLIP or PPP connections.\r\n\r\nSecurity Fix(es):\r\n\r\nreport_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.(CVE-2021-36386)",
+    "cves": [
+      {
+        "id": "CVE-2021-36386",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36386",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1047": {
+    "id": "openEuler-SA-2024-1047",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1047",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.(CVE-2023-46137)",
+    "cves": [
+      {
+        "id": "CVE-2023-46137",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1351": {
+    "id": "openEuler-SA-2021-1351",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1351",
+    "title": "An update for aspell is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "GNU Aspell is a spell checker intended to replace Ispell. It can be used as a library and spell checker. Its main feature is that it provides much better suggestions than other inspectors, including Ispell and Microsoft Word. It also has many other technical enhancements to Ispell, such as the use of shared memory to store dictionaries, and intelligent processing of personal dictionaries when multiple Aspell processes are opened at one time.\r\n\r\nSecurity Fix(es):\r\n\r\nobjstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).(CVE-2019-25051)",
+    "cves": [
+      {
+        "id": "CVE-2019-25051",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25051",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1617": {
+    "id": "openEuler-SA-2024-1617",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1617",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/kvm: Disable kvmclock on all CPUs on shutdown\r\n\r\nCurrenly, we disable kvmclock from machine_shutdown() hook and this\nonly happens for boot CPU. We need to disable it for all CPUs to\nguard against memory corruption e.g. on restore from hibernate.\r\n\r\nNote, writing '0' to kvmclock MSR doesn't clear memory location, it\njust prevents hypervisor from updating the location so for the short\nwhile after write and while CPU is still alive, the clock remains usable\nand correct so we don't need to switch to some other clocksource.(CVE-2021-47110)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni40e: Fix NULL ptr dereference on VSI filter sync\r\n\r\nRemove the reason of null pointer dereference in sync VSI filters.\nAdded new I40E_VSI_RELEASING flag to signalize deleting and releasing\nof VSI resources to sync this thread with sync filters subtask.\nWithout this patch it is possible to start update the VSI filter list\nafter VSI is removed, that's causing a kernel oops.(CVE-2021-47184)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nerofs: fix pcluster use-after-free on UP platforms\r\n\r\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\r\n\r\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\r\n\r\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n <TASK>\n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\r\n\r\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\r\n\r\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\r\n\r\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead.(CVE-2022-48674)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path.  This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng.  The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow timeout for anonymous sets\r\n\r\nNever used from userspace, disallow these parameters.(CVE-2023-52620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[   57.202521] =============================\n[   57.202522] WARNING: suspicious RCU usage\n[   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[   57.202525] -----------------------------\n[   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[   57.202527]\n               other info that might help us debug this:\r\n\r\n[   57.202528]\n               rcu_scheduler_active = 2, debug_locks = 1\n[   57.202529] no locks held by test5/3567.\n[   57.202530]\n               stack backtrace:\n[   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[   57.202536] Call Trace:\n[   57.202537]  <TASK>\n[   57.202540]  dump_stack_lvl+0x77/0xb0\n[   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0\n[   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202866]  write_cache_pages+0x265/0x450\n[   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202913]  do_writepages+0xd2/0x230\n[   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80\n[   57.202921]  filemap_fdatawrite_wbc+0x67/0x80\n[   57.202924]  filemap_write_and_wait_range+0xd9/0x170\n[   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202969]  __se_sys_close+0x46/0xd0\n[   57.202972]  do_syscall_64+0x68/0x100\n[   57.202975]  ? do_syscall_64+0x77/0x100\n[   57.202976]  ? do_syscall_64+0x77/0x100\n[   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[   57.202982] RIP: 0033:0x7fe2b12e4a94\n[   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[   57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\r\n\r\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\r\n\r\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\r\n\r\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\r\n\r\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).(CVE-2023-52628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n        echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n        echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428\n<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c\n<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428\nkworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227\nvendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532\nvendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428\nxxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][    C4] Mem abort info:\n[ 9436.261666][    C4]   ESR = 0x96000044\n[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][    C4]   SET = 0, FnV = 0\n[ 9436.261673][    C4]   EA = 0, S1PTW = 0\n[ 9436.261675][    C4] Data abort info:\n[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044\n[ 9436.261680][    C4]   CM = 0, WnR = 1\n[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)\n[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][    C4] sp : ffffffc010023dd0\n[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\r\n\r\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\r\n\r\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\r\n\r\n CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n  print_report+0xd3/0x620\n  ? kasan_complete_mode_report_info+0x7d/0x200\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  kasan_report+0xc2/0x100\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  __asan_load4+0x84/0xb0\n  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  j1939_sk_recv+0x20b/0x320 [can_j1939]\n  ? __kasan_check_write+0x18/0x20\n  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n  ? j1939_simple_recv+0x69/0x280 [can_j1939]\n  ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n  j1939_can_recv+0x43f/0x580 [can_j1939]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  ? raw_rcv+0x42/0x3c0 [can_raw]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  can_rcv_filter+0x11f/0x350 [can]\n  can_receive+0x12f/0x190 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  can_rcv+0xdd/0x130 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  __netif_receive_skb_one_core+0x13d/0x150\n  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n  ? __kasan_check_write+0x18/0x20\n  ? _raw_spin_lock_irq+0x8c/0xe0\n  __netif_receive_skb+0x23/0xb0\n  process_backlog+0x107/0x260\n  __napi_poll+0x69/0x310\n  net_rx_action+0x2a1/0x580\n  ? __pfx_net_rx_action+0x10/0x10\n  ? __pfx__raw_spin_lock+0x10/0x10\n  ? handle_irq_event+0x7d/0xa0\n  __do_softirq+0xf3/0x3f8\n  do_softirq+0x53/0x80\n  </IRQ>\n  <TASK>\n  __local_bh_enable_ip+0x6e/0x70\n  netif_rx+0x16b/0x180\n  can_send+0x32b/0x520 [can]\n  ? __pfx_can_send+0x10/0x10 [can]\n  ? __check_object_size+0x299/0x410\n  raw_sendmsg+0x572/0x6d0 [can_raw]\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  ? apparmor_socket_sendmsg+0x2f/0x40\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  sock_sendmsg+0xef/0x100\n  sock_write_iter+0x162/0x220\n  ? __pfx_sock_write_iter+0x10/0x10\n  ? __rtnl_unlock+0x47/0x80\n  ? security_file_permission+0x54/0x320\n  vfs_write+0x6ba/0x750\n  ? __pfx_vfs_write+0x10/0x10\n  ? __fget_light+0x1ca/0x1f0\n  ? __rcu_read_unlock+0x5b/0x280\n  ksys_write+0x143/0x170\n  ? __pfx_ksys_write+0x10/0x10\n  ? __kasan_check_read+0x15/0x20\n  ? fpregs_assert_state_consistent+0x62/0x70\n  __x64_sys_write+0x47/0x60\n  do_syscall_64+0x60/0x90\n  ? do_syscall_64+0x6d/0x90\n  ? irqentry_exit+0x3f/0x50\n  ? exc_page_fault+0x79/0xf0\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Allocated by task 348:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_alloc_info+0x1f/0x30\n  __kasan_kmalloc+0xb5/0xc0\n  __kmalloc_node_track_caller+0x67/0x160\n  j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Freed by task 349:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_free_info+0x2f/0x50\n  __kasan_slab_free+0x12e/0x1c0\n  __kmem_cache_free+0x1b9/0x380\n  kfree+0x7a/0x120\n  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2023-52637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\r\n\r\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\r\n\r\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\r\n\r\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\r\n\r\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\r\n\r\n[mkl: remove unrelated newline change](CVE-2023-52638)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: vsie: fix race during shadow creation\r\n\r\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash.  This is due to the\nfact that we add gmap->private == kvm after creation:\r\n\r\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n                               struct vsie_page *vsie_page)\n{\n[...]\n        gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n        if (IS_ERR(gmap))\n                return PTR_ERR(gmap);\n        gmap->private = vcpu->kvm;\r\n\r\nLet children inherit the private field of the parent.(CVE-2023-52639)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\r\n\r\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\r\n\r\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---(CVE-2023-52644)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nA race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\r\n\r\n\r\n\r\n\n(CVE-2024-24858)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: make sure init the accept_queue's spinlocks once\r\n\r\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS:  00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n<IRQ>\n  _raw_spin_unlock (kernel/locking/spinlock.c:186)\n  inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n  inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n  tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n  tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n  __netif_receive_skb_one_core (net/core/dev.c:5529)\n  process_backlog (./include/linux/rcupdate.h:779)\n  __napi_poll (net/core/dev.c:6533)\n  net_rx_action (net/core/dev.c:6604)\n  __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n  do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n  __local_bh_enable_ip (kernel/softirq.c:381)\n  __dev_queue_xmit (net/core/dev.c:4374)\n  ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n  __ip_queue_xmit (net/ipv4/ip_output.c:535)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n  tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n  tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n  __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n  release_sock (net/core/sock.c:3536)\n  inet_wait_for_connect (net/ipv4/af_inet.c:609)\n  __inet_stream_connect (net/ipv4/af_inet.c:702)\n  inet_stream_connect (net/ipv4/af_inet.c:748)\n  __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n  __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n  do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n  RIP: 0033:0x7fa10ff05a3d\n  Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n  c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n  RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n  RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n  RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n  RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n  R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n</TASK>\r\n\r\nThe issue triggering process is analyzed as follows:\nThread A                                       Thread B\ntcp_v4_rcv\t//receive ack TCP packet       inet_shutdown\n  tcp_check_req                                  tcp_disconnect //disconnect sock\n  ...                                              tcp_set_state(sk, TCP_CLOSE)\n    inet_csk_complete_hashdance                ...\n      inet_csk_reqsk_queue_add         \n---truncated---(CVE-2024-26614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow anonymous set with timeout flag\r\n\r\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Ensure visibility when inserting an element into tracing_map\r\n\r\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\r\n\r\n $ while true; do\n     echo hist:key=id.syscall:val=hitcount > \\\n       /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n     cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n     sleep 0.001\n   done\n $ stress-ng --sysbadaddr $(nproc)\r\n\r\nThe warning looks as follows:\r\n\r\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220]  hist_show+0x124/0x800\n[ 2911.195692]  seq_read_iter+0x1d4/0x4e8\n[ 2911.196193]  seq_read+0xe8/0x138\n[ 2911.196638]  vfs_read+0xc8/0x300\n[ 2911.197078]  ksys_read+0x70/0x108\n[ 2911.197534]  __arm64_sys_read+0x24/0x38\n[ 2911.198046]  invoke_syscall+0x78/0x108\n[ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157]  do_el0_svc+0x28/0x40\n[ 2911.199613]  el0_svc+0x40/0x178\n[ 2911.200048]  el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621]  el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\r\n\r\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\r\n\r\nThe check for the presence of an element with a given key in this\nfunction is:\r\n\r\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\r\n\r\nThe write of a new entry is:\r\n\r\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\r\n\r\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---(CVE-2024-26645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_limit: reject configurations that cause integer overflow\r\n\r\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\r\n\r\nIts better to reject this rather than having incorrect ratelimit.(CVE-2024-26668)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n  __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n  __alloc_pages_node include/linux/gfp.h:238 [inline]\n  alloc_pages_node include/linux/gfp.h:261 [inline]\n  __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n  __do_kmalloc_node mm/slub.c:3969 [inline]\n  __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n  kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n  __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n  __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n  netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n  dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n  ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n  ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n  tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n  tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n  receive_buf drivers/tty/tty_buffer.c:444 [inline]\n  flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: read sk->sk_family once in inet_recv_error()\r\n\r\ninet_recv_error() is called without holding the socket lock.\r\n\r\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.(CVE-2024-26679)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential bug in end_buffer_async_write\r\n\r\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\r\n\r\nNilfs2 itself does not use end_buffer_async_write().  But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\r\n\r\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent.  However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device.  This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\r\n\r\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\r\n\r\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.(CVE-2024-26685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup.  If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix data corruption in dsync block recovery for small block sizes\r\n\r\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache.  In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\r\n\r\nFix these issues by correcting this byte offset calculation on the page.(CVE-2024-26697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\r\n\r\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64().  On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\r\n\r\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\r\n\r\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\r\n\r\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)(CVE-2024-26720)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't drop extent_map for free space inode on write error\r\n\r\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\r\n\r\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n <TASK>\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again.  However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping.  Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\r\n\r\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping.  This is\nnormal for normal files, but the free space cache inode is special.  We\nalways expect the extent map to be correct.  Thus the second time\nthrough we end up with a bogus extent map.\r\n\r\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\r\n\r\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce.  With this patch in place we no longer panic\nwith my error injection test.(CVE-2024-26726)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narp: Prevent overflow in arp_req_get().\r\n\r\nsyzkaller reported an overflown write in arp_req_get(). [0]\r\n\r\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\r\n\r\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\r\n\r\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags.  We initialise the field just after the memcpy(), so it's\nnot a problem.\r\n\r\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\r\n\r\nTo avoid the overflow, let's limit the max length of memcpy().\r\n\r\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\r\n\r\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>(CVE-2024-26733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix possible use-after-free and null-ptr-deref\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.(CVE-2024-26735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: don't override retval if we already lost the skb\r\n\r\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\r\n\r\nMove the retval override to the error path which actually need it.(CVE-2024-26739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: use the backlog for mirred ingress\r\n\r\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\r\n\r\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\r\n\r\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.(CVE-2024-26740)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/qedr: Fix qedr_create_user_qp error flow\r\n\r\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\r\n\r\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--(CVE-2024-26743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Support specifying the srpt_service_guid parameter\r\n\r\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76(CVE-2024-26744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\r\n\r\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n      df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n      3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS:  00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0(CVE-2024-26754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm-crypt: don't modify the data when using authenticated encryption\r\n\r\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\r\n\r\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\r\n\r\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/(CVE-2024-26763)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: dev-replace: properly validate device names\r\n\r\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\r\n\r\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\r\n\r\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).(CVE-2024-26791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\r\n\r\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS:  00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985]  ? __die_body.cold+0x1a/0x1f\n[ 1010.715995]  ? die_addr+0x43/0x70\n[ 1010.716002]  ? exc_general_protection+0x199/0x2f0\n[ 1010.716016]  ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026]  ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034]  ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042]  __rtnl_newlink+0x1063/0x1700\n[ 1010.716051]  ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063]  ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070]  ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076]  ? __kernel_text_address+0x56/0xa0\n[ 1010.716084]  ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091]  ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098]  ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106]  ? stack_trace_save+0x91/0xd0\n[ 1010.716113]  ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121]  ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139]  ? mark_held_locks+0x9e/0xe0\n[ 1010.716148]  ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155]  ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160]  rtnl_newlink+0x69/0xa0\n[ 1010.716166]  rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172]  ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179]  ? lock_acquire+0x1fe/0x560\n[ 1010.716188]  ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196]  netlink_rcv_skb+0x14d/0x440\n[ 1010.716202]  ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208]  ? netlink_ack+0xab0/0xab0\n[ 1010.716213]  ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220]  ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226]  ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233]  netlink_unicast+0x54b/0x800\n[ 1010.716240]  ? netlink_attachskb+0x870/0x870\n[ 1010.716248]  ? __check_object_size+0x2de/0x3b0\n[ 1010.716254]  netlink_sendmsg+0x938/0xe40\n[ 1010.716261]  ? netlink_unicast+0x800/0x800\n[ 1010.716269]  ? __import_iovec+0x292/0x510\n[ 1010.716276]  ? netlink_unicast+0x800/0x800\n[ 1010.716284]  __sock_sendmsg+0x159/0x190\n[ 1010.716290]  ____sys_sendmsg+0x712/0x880\n[ 1010.716297]  ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304]  ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309]  ? lock_acquire+0x1fe/0x560\n[ 1010.716315]  ? drain_array_locked+0x90/0x90\n[ 1010.716324]  ___sys_sendmsg+0xf8/0x170\n[ 1010.716331]  ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337]  ? lockdep_init_map\n---truncated---(CVE-2024-26793)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Avoid potential use-after-free in hci_error_reset\r\n\r\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\r\n\r\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\r\n\r\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.(CVE-2024-26801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ip_tunnel: prevent perpetual headroom growth\r\n\r\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\r\n\r\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n  __skb_pull(skb, skb_network_offset(skb));\r\n\r\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned.  IOW, we skb->data gets \"adjusted\" by a huge value.\r\n\r\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\r\n\r\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\r\n\r\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel.  The ipip encapsulation finds gre0 as next output device.\r\n\r\nThis results in the following pattern:\r\n\r\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\r\n\r\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\r\n\r\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\r\n\r\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\r\n\r\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\r\n\r\nThis repeats for every future packet:\r\n\r\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\r\n\r\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\r\n\r\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\r\n\r\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\r\n\r\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\r\n\r\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.(CVE-2024-26804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\r\n\r\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\r\n\r\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---(CVE-2024-26805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Create persistent INTx handler\r\n\r\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\r\n\r\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\r\n\r\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.(CVE-2024-26812)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/platform: Create persistent IRQ handlers\r\n\r\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\r\n\r\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\r\n\r\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\r\n\r\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.(CVE-2024-26813)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: fix underflow in parse_server_interfaces()\r\n\r\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.(CVE-2024-26828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme-fc: do not wait in vain when unloading module\r\n\r\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\r\n\r\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\r\n\r\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\r\n\r\nWhile at it, remove the unused nvme_fc_wq workqueue too.(CVE-2024-26846)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\r\n\r\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\r\n\r\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\r\n\r\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\r\n\r\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x167/0x540 mm/kasan/report.c:488\n  kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n  inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n  ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n  ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n  inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n </TASK>\r\n\r\nAllocated by task 23037:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3981 [inline]\n  __kmalloc+0x22e/0x490 mm/slub.c:3994\n  kmalloc include/linux/slab.h:594 [inline]\n  kzalloc include/linux/slab.h:711 [inline]\n  fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n  ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n  ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n  inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\r\n\r\nFreed by task 16:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n  poison_slab_object+0xa6/0xe0 m\n---truncated---(CVE-2024-26852)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngeneve: make sure to pull inner header in geneve_rx()\r\n\r\nsyzbot triggered a bug in geneve_rx() [1]\r\n\r\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\r\n\r\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\r\n\r\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\n BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n  geneve_rx drivers/net/geneve.c:279 [inline]\n  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\n  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\n  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\n  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\n  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n  dst_input include/net/dst.h:461 [inline]\n  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n  process_backlog+0x480/0x8b0 net/core/dev.c:5976\n  __napi_poll+0xe3/0x980 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\n  do_softirq+0x9a/0xf0 kernel/softirq.c:454\n  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\n  local_bh_enable include/linux/bottom_half.h:33 [inline]\n  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\n  dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  __sys_sendto+0x735/0xa10 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3819 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x352/0x790 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1296 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  __sys_sendto+0x735/0xa10 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26857)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/bnx2x: Prevent access to a freed page in page_pool\r\n\r\nFix race condition leading to system crash during EEH error handling\r\n\r\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\r\n\r\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\r\n\r\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\r\n\r\nTo solve this issue, we need to verify page pool allocations before\nfreeing.(CVE-2024-26859)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhsr: Fix uninit-value access in hsr_get_node()\r\n\r\nKMSAN reported the following uninit-value access issue [1]:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\r\n\r\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\r\n\r\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.(CVE-2024-26863)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Do not register event handler until srpt device is fully setup\r\n\r\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\r\n\r\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\r\n\r\nInstead, only register the event handler after srpt device initialization\nis complete.(CVE-2024-26872)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: adv7511: fix crash on irq during probe\r\n\r\nMoved IRQ registration down to end of adv7511_probe().\r\n\r\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\r\n\r\n    Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n    Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n    Call trace:\n     cec_received_msg_ts+0x48/0x990 [cec]\n     adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n     adv7511_irq_process+0xd8/0x120 [adv7511]\n     adv7511_irq_handler+0x1c/0x30 [adv7511]\n     irq_thread_fn+0x30/0xa0\n     irq_thread+0x14c/0x238\n     kthread+0x190/0x1a8(CVE-2024-26876)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm: call the resume method on internal suspend\r\n\r\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\r\n\r\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\r\n\r\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\r\n\r\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n<snip>\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS:  00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n <TASK>\n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n<snip>\n---[ end trace 0000000000000000 ]---(CVE-2024-26880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\r\n\r\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\r\n\r\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\r\n\r\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).(CVE-2024-26897)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Reset IH OVERFLOW_CLEAR bit\r\n\r\nAllows us to detect subsequent IH ring buffer overflows as well.(CVE-2024-26915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\r\n\r\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.(CVE-2024-26922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: go7007: fix a memleak in go7007_load_encoder\r\n\r\nIn go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without\na deallocation thereafter. After the following call chain:\r\n\r\nsaa7134_go7007_init\n  |-> go7007_boot_encoder\n        |-> go7007_load_encoder\n  |-> kfree(go)\r\n\r\ngo is freed and thus bounce is leaked.(CVE-2024-27074)",
+    "cves": [
+      {
+        "id": "CVE-2024-27074",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1114": {
+    "id": "openEuler-SA-2023-1114",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1114",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.(CVE-2023-23969)",
+    "cves": [
+      {
+        "id": "CVE-2023-23969",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1278": {
+    "id": "openEuler-SA-2024-1278",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1278",
+    "title": "An update for gala-gopher is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "gala-gopher is a low-overhead eBPF-based probes framework\r\n\r\nSecurity Fix(es):\r\n\r\ngala-gopher 1.0.2组件中存在命令注入攻击漏洞(CVE-2024-24890)",
+    "cves": [
+      {
+        "id": "CVE-2024-24890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1396": {
+    "id": "openEuler-SA-2023-1396",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1396",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.(CVE-2023-31084)\n\nA flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.(CVE-2023-3161)\n\nA NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.(CVE-2023-3212)\n\n** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.(CVE-2023-34256)\n\nAn issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.(CVE-2023-35788)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.(CVE-2023-35823)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.(CVE-2023-35824)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.(CVE-2023-35828)",
+    "cves": [
+      {
+        "id": "CVE-2023-35828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1316": {
+    "id": "openEuler-SA-2023-1316",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1316",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.(CVE-2023-2731)",
+    "cves": [
+      {
+        "id": "CVE-2023-2731",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2731",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1483": {
+    "id": "openEuler-SA-2024-1483",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1483",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: img-scb: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in functions img_i2c_xfer and img_i2c_init.\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36783)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkyber: fix out of bounds access when preempted\r\n\r\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx's than the first one (i.e., if\nctx->index_hw[hctx->type] > hctx->nr_ctx).\r\n\r\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\r\n\r\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type 'long unsigned int [128]'\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\r\n\r\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch.(CVE-2021-46984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: qcom: Put child node before return\r\n\r\nPut child node before return to fix potential reference count leak.\nGenerally, the reference count of child is incremented and decremented\nautomatically in the macro for_each_available_child_of_node() and should\nbe decremented manually if the loop is broken in loop body.(CVE-2021-47054)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init\r\n\r\nADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()\nbefore calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the\nvf2pf_lock is initialized in adf_dev_init(), which can fail and when it\nfail, the vf2pf_lock is either not initialized or destroyed, a subsequent\nuse of vf2pf_lock will cause issue.\nTo fix this issue, only set this flag if adf_dev_init() returns 0.\r\n\r\n[    7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0\n[    7.180345] Call Trace:\n[    7.182576]  mutex_lock+0xc9/0xd0\n[    7.183257]  adf_iov_putmsg+0x118/0x1a0 [intel_qat]\n[    7.183541]  adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]\n[    7.183834]  adf_dev_shutdown+0x172/0x2b0 [intel_qat]\n[    7.184127]  adf_probe+0x5e9/0x600 [qat_dh895xccvf](CVE-2021-47056)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Stop looking for coalesced MMIO zones if the bus is destroyed\r\n\r\nAbort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev()\nfails to allocate memory for the new instance of the bus.  If it can't\ninstantiate a new bus, unregister_dev() destroys all devices _except_ the\ntarget device.   But, it doesn't tell the caller that it obliterated the\nbus and invoked the destructor for all devices that were on the bus.  In\nthe coalesced MMIO case, this can result in a deleted list entry\ndereference due to attempting to continue iterating on coalesced_zones\nafter future entries (in the walk) have been deleted.\r\n\r\nOpportunistically add curly braces to the for-loop, which encompasses\nmany lines but sneaks by without braces due to the guts being a single\nif statement.(CVE-2021-47060)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU\r\n\r\nIf allocating a new instance of an I/O bus fails when unregistering a\ndevice, wait to destroy the device until after all readers are guaranteed\nto see the new null bus.  Destroying devices before the bus is nullified\ncould lead to use-after-free since readers expect the devices on their\nreference of the bus to remain valid.(CVE-2021-47061)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: bridge/panel: Cleanup connector on bridge detach\r\n\r\nIf we don't call drm_connector_cleanup() manually in\npanel_bridge_detach(), the connector will be cleaned up with the other\nDRM objects in the call to drm_mode_config_cleanup(). However, since our\ndrm_connector is devm-allocated, by the time drm_mode_config_cleanup()\nwill be called, our connector will be long gone. Therefore, the\nconnector must be cleaned up when the bridge is detached to avoid\nuse-after-free conditions.\r\n\r\nv2: Cleanup connector only if it was created\r\n\r\nv3: Add FIXME\r\n\r\nv4: (Use connector->dev) directly in if() block(CVE-2021-47063)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio_hv_generic: Fix a memory leak in error handling paths\r\n\r\nIf 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be\nupdated and 'hv_uio_cleanup()' in the error handling path will not be\nable to free the corresponding buffer.\r\n\r\nIn such a case, we need to free the buffer explicitly.(CVE-2021-47071)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme-loop: fix memory leak in nvme_loop_create_ctrl()\r\n\r\nWhen creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl()\nfails, the loop ctrl should be freed before jumping to the \"out\" label.(CVE-2021-47074)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qedf: Add pointer checks in qedf_update_link_speed()\r\n\r\nThe following trace was observed:\r\n\r\n [   14.042059] Call Trace:\n [   14.042061]  <IRQ>\n [   14.042068]  qedf_link_update+0x144/0x1f0 [qedf]\n [   14.042117]  qed_link_update+0x5c/0x80 [qed]\n [   14.042135]  qed_mcp_handle_link_change+0x2d2/0x410 [qed]\n [   14.042155]  ? qed_set_ptt+0x70/0x80 [qed]\n [   14.042170]  ? qed_set_ptt+0x70/0x80 [qed]\n [   14.042186]  ? qed_rd+0x13/0x40 [qed]\n [   14.042205]  qed_mcp_handle_events+0x437/0x690 [qed]\n [   14.042221]  ? qed_set_ptt+0x70/0x80 [qed]\n [   14.042239]  qed_int_sp_dpc+0x3a6/0x3e0 [qed]\n [   14.042245]  tasklet_action_common.isra.14+0x5a/0x100\n [   14.042250]  __do_softirq+0xe4/0x2f8\n [   14.042253]  irq_exit+0xf7/0x100\n [   14.042255]  do_IRQ+0x7f/0xd0\n [   14.042257]  common_interrupt+0xf/0xf\n [   14.042259]  </IRQ>\r\n\r\nAPI qedf_link_update() is getting called from QED but by that time\nshost_data is not initialised. This results in a NULL pointer dereference\nwhen we try to dereference shost_data while updating supported_speeds.\r\n\r\nAdd a NULL pointer check before dereferencing shost_data.(CVE-2021-47077)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/rxe: Clear all QP fields if creation failed\r\n\r\nrxe_qp_do_cleanup() relies on valid pointer values in QP for the properly\ncreated ones, but in case rxe_qp_from_init() failed it was filled with\ngarbage and caused tot the following error.\r\n\r\n  refcount_t: underflow; use-after-free.\n  WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n  Modules linked in:\n  CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n  Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55\n  RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286\n  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n  RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n  R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800\n  R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000\n  FS:  00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n   __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n   refcount_dec_and_test include/linux/refcount.h:333 [inline]\n   kref_put include/linux/kref.h:64 [inline]\n   rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805\n   execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327\n   rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391\n   kref_put include/linux/kref.h:65 [inline]\n   rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425\n   _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]\n   ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231\n   ib_create_qp include/rdma/ib_verbs.h:3644 [inline]\n   create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920\n   ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]\n   ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092\n   add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717\n   enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331\n   ib_register_device drivers/infiniband/core/device.c:1413 [inline]\n   ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365\n   rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147\n   rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247\n   rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503\n   rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]\n   rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250\n   nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555\n   rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195\n   rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n   rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259\n   netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n   netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n   netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n   sock_sendmsg_nosec net/socket.c:654 [inline]\n   sock_sendmsg+0xcf/0x120 net/socket.c:674\n   ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n   ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n   __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n   do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47\n   entry_SYSCALL_64_after_hwframe+0\n---truncated---(CVE-2021-47078)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nasix: fix uninit-value in asix_mdio_read()\r\n\r\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\r\n\r\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497(CVE-2021-47101)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/tls: Fix use-after-free after the TLS device goes down and up\r\n\r\nWhen a netdev with active TLS offload goes down, tls_device_down is\ncalled to stop the offload and tear down the TLS context. However, the\nsocket stays alive, and it still points to the TLS context, which is now\ndeallocated. If a netdev goes up, while the connection is still active,\nand the data flow resumes after a number of TCP retransmissions, it will\nlead to a use-after-free of the TLS context.\r\n\r\nThis commit addresses this bug by keeping the context alive until its\nnormal destruction, and implements the necessary fallbacks, so that the\nconnection can resume in software (non-offloaded) kTLS mode.\r\n\r\nOn the TX side tls_sw_fallback is used to encrypt all packets. The RX\nside already has all the necessary fallbacks, because receiving\nnon-decrypted packets is supported. The thing needed on the RX side is\nto block resync requests, which are normally produced after receiving\nnon-decrypted packets.\r\n\r\nThe necessary synchronization is implemented for a graceful teardown:\nfirst the fallbacks are deployed, then the driver resources are released\n(it used to be possible to have a tls_dev_resync after tls_dev_del).\r\n\r\nA new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback\nmode. It's used to skip the RX resync logic completely, as it becomes\nuseless, and some objects may be released (for example, resync_async,\nwhich is allocated and freed by the driver).(CVE-2021-47131)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a use-after-free\r\n\r\nlooks like we forget to set ttm->sg to NULL.\nHit panic below\r\n\r\n[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 1235.989074] Call Trace:\n[ 1235.991751]  sg_free_table+0x17/0x20\n[ 1235.995667]  amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu]\n[ 1236.002288]  amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu]\n[ 1236.008464]  ttm_tt_destroy+0x1e/0x30 [ttm]\n[ 1236.013066]  ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm]\n[ 1236.018783]  ttm_bo_release+0x262/0xa50 [ttm]\n[ 1236.023547]  ttm_bo_put+0x82/0xd0 [ttm]\n[ 1236.027766]  amdgpu_bo_unref+0x26/0x50 [amdgpu]\n[ 1236.032809]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu]\n[ 1236.040400]  kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu]\n[ 1236.046912]  kfd_ioctl+0x463/0x690 [amdgpu](CVE-2021-47142)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: remove device from smcd_dev_list after failed device_add()\r\n\r\nIf the device_add() for a smcd_dev fails, there's no cleanup step that\nrolls back the earlier list_add(). The device subsequently gets freed,\nand we end up with a corrupted list.\r\n\r\nAdd some error handling that removes the device from the list.(CVE-2021-47143)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/amdgpu: fix refcount leak\r\n\r\n[Why]\nthe gem object rfb->base.obj[0] is get according to num_planes\nin amdgpufb_create, but is not put according to num_planes\r\n\r\n[How]\nput rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes(CVE-2021-47144)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: do not BUG_ON in link_to_fixup_dir\r\n\r\nWhile doing error injection testing I got the following panic\r\n\r\n  kernel BUG at fs/btrfs/tree-log.c:1862!\n  invalid opcode: 0000 [#1] SMP NOPTI\n  CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n  RIP: 0010:link_to_fixup_dir+0xd5/0xe0\n  RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216\n  RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0\n  RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000\n  RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001\n  R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800\n  R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065\n  FS:  00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0\n  Call Trace:\n   replay_one_buffer+0x409/0x470\n   ? btree_read_extent_buffer_pages+0xd0/0x110\n   walk_up_log_tree+0x157/0x1e0\n   walk_log_tree+0xa6/0x1d0\n   btrfs_recover_log_trees+0x1da/0x360\n   ? replay_one_extent+0x7b0/0x7b0\n   open_ctree+0x1486/0x1720\n   btrfs_mount_root.cold+0x12/0xea\n   ? __kmalloc_track_caller+0x12f/0x240\n   legacy_get_tree+0x24/0x40\n   vfs_get_tree+0x22/0xb0\n   vfs_kern_mount.part.0+0x71/0xb0\n   btrfs_mount+0x10d/0x380\n   ? vfs_parse_fs_string+0x4d/0x90\n   legacy_get_tree+0x24/0x40\n   vfs_get_tree+0x22/0xb0\n   path_mount+0x433/0xa10\n   __x64_sys_mount+0xe3/0x120\n   do_syscall_64+0x3d/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nWe can get -EIO or any number of legitimate errors from\nbtrfs_search_slot(), panicing here is not the appropriate response.  The\nerror path for this code handles errors properly, simply return the\nerror.(CVE-2021-47145)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmld: fix panic in mld_newpack()\r\n\r\nmld_newpack() doesn't allow to allocate high order page,\nonly order-0 allocation is allowed.\nIf headroom size is too large, a kernel panic could occur in skb_put().\r\n\r\nTest commands:\n    ip netns del A\n    ip netns del B\n    ip netns add A\n    ip netns add B\n    ip link add veth0 type veth peer name veth1\n    ip link set veth0 netns A\n    ip link set veth1 netns B\r\n\r\n    ip netns exec A ip link set lo up\n    ip netns exec A ip link set veth0 up\n    ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0\n    ip netns exec B ip link set lo up\n    ip netns exec B ip link set veth1 up\n    ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1\n    for i in {1..99}\n    do\n        let A=$i-1\n        ip netns exec A ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100\n        ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i\n        ip netns exec A ip link set ip6gre$i up\r\n\r\n        ip netns exec B ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100\n        ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i\n        ip netns exec B ip link set ip6gre$i up\n    done\r\n\r\nSplat looks like:\nkernel BUG at net/core/skbuff.c:110!\ninvalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:skb_panic+0x15d/0x15f\nCode: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83\n41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89\n34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20\nRSP: 0018:ffff88810091f820 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000\nRDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb\nRBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031\nR10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028\nR13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0\nFS:  0000000000000000(0000) GS:ffff888117c00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n skb_put.cold.104+0x22/0x22\n ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? rcu_read_lock_sched_held+0x91/0xc0\n mld_newpack+0x398/0x8f0\n ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600\n ? lock_contended+0xc40/0xc40\n add_grhead.isra.33+0x280/0x380\n add_grec+0x5ca/0xff0\n ? mld_sendpack+0xf40/0xf40\n ? lock_downgrade+0x690/0x690\n mld_send_initial_cr.part.34+0xb9/0x180\n ipv6_mc_dad_complete+0x15d/0x1b0\n addrconf_dad_completed+0x8d2/0xbb0\n ? lock_downgrade+0x690/0x690\n ? addrconf_rs_timer+0x660/0x660\n ? addrconf_dad_work+0x73c/0x10e0\n addrconf_dad_work+0x73c/0x10e0\r\n\r\nAllowing high order page allocation could fix this problem.(CVE-2021-47146)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: i801: Don't generate an interrupt on bus reset\r\n\r\nNow that the i2c-i801 driver supports interrupts, setting the KILL bit\nin a attempt to recover from a timed out transaction triggers an\ninterrupt. Unfortunately, the interrupt handler (i801_isr) is not\nprepared for this situation and will try to process the interrupt as\nif it was signaling the end of a successful transaction. In the case\nof a block transaction, this can result in an out-of-range memory\naccess.\r\n\r\nThis condition was reproduced several times by syzbot:\nhttps://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e\nhttps://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e\nhttps://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e\nhttps://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb\nhttps://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a\nhttps://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79\r\n\r\nSo disable interrupts while trying to reset the bus. Interrupts will\nbe enabled again for the following transaction.(CVE-2021-47153)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: dsa: fix a crash if ->get_sset_count() fails\r\n\r\nIf ds->ops->get_sset_count() fails then it \"count\" is a negative error\ncode such as -EOPNOTSUPP.  Because \"i\" is an unsigned int, the negative\nerror code is type promoted to a very high value and the loop will\ncorrupt memory until the system crashes.\r\n\r\nFix this by checking for error codes and changing the type of \"i\" to\njust int.(CVE-2021-47159)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: dsa: mt7530: fix VLAN traffic leaks\r\n\r\nPCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but\nwas not reset when it is disabled, which may cause traffic leaks:\r\n\r\n\tip link add br0 type bridge vlan_filtering 1\n\tip link add br1 type bridge vlan_filtering 1\n\tip link set swp0 master br0\n\tip link set swp1 master br1\n\tip link set br0 type bridge vlan_filtering 0\n\tip link set br1 type bridge vlan_filtering 0\n\t# traffic in br0 and br1 will start leaking to each other\r\n\r\nAs port_bridge_{add,del} have set up PCR_MATRIX properly, remove the\nPCR_MATRIX write from mt7530_port_set_vlan_aware.(CVE-2021-47160)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: spi-fsl-dspi: Fix a resource leak in an error handling path\r\n\r\n'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the\nerror handling path of the probe function, as already done in the remove\nfunction(CVE-2021-47161)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: skb_linearize the head skb when reassembling msgs\r\n\r\nIt's not a good idea to append the frag skb to a skb's frag_list if\nthe frag_list already has skbs from elsewhere, such as this skb was\ncreated by pskb_copy() where the frag_list was cloned (all the skbs\nin it were skb_get'ed) and shared by multiple skbs.\r\n\r\nHowever, the new appended frag skb should have been only seen by the\ncurrent skb. Otherwise, it will cause use after free crashes as this\nappended frag skb are seen by multiple skbs but it only got skb_get\ncalled once.\r\n\r\nThe same thing happens with a skb updated by pskb_may_pull() with a\nskb_cloned skb. Li Shuang has reported quite a few crashes caused\nby this when doing testing over macvlan devices:\r\n\r\n  [] kernel BUG at net/core/skbuff.c:1970!\n  [] Call Trace:\n  []  skb_clone+0x4d/0xb0\n  []  macvlan_broadcast+0xd8/0x160 [macvlan]\n  []  macvlan_process_broadcast+0x148/0x150 [macvlan]\n  []  process_one_work+0x1a7/0x360\n  []  worker_thread+0x30/0x390\r\n\r\n  [] kernel BUG at mm/usercopy.c:102!\n  [] Call Trace:\n  []  __check_heap_object+0xd3/0x100\n  []  __check_object_size+0xff/0x16b\n  []  simple_copy_to_iter+0x1c/0x30\n  []  __skb_datagram_iter+0x7d/0x310\n  []  __skb_datagram_iter+0x2a5/0x310\n  []  skb_copy_datagram_iter+0x3b/0x90\n  []  tipc_recvmsg+0x14a/0x3a0 [tipc]\n  []  ____sys_recvmsg+0x91/0x150\n  []  ___sys_recvmsg+0x7b/0xc0\r\n\r\n  [] kernel BUG at mm/slub.c:305!\n  [] Call Trace:\n  []  <IRQ>\n  []  kmem_cache_free+0x3ff/0x400\n  []  __netif_receive_skb_core+0x12c/0xc40\n  []  ? kmem_cache_alloc+0x12e/0x270\n  []  netif_receive_skb_internal+0x3d/0xb0\n  []  ? get_rx_page_info+0x8e/0xa0 [be2net]\n  []  be_poll+0x6ef/0xd00 [be2net]\n  []  ? irq_exit+0x4f/0x100\n  []  net_rx_action+0x149/0x3b0\r\n\r\n  ...\r\n\r\nThis patch is to fix it by linearizing the head skb if it has frag_list\nset in tipc_buf_append(). Note that we choose to do this before calling\nskb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can\nnot just drop the frag_list either as the early time.(CVE-2021-47162)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: wait and exit until all work queues are done\r\n\r\nOn some host, a crash could be triggered simply by repeating these\ncommands several times:\r\n\r\n  # modprobe tipc\n  # tipc bearer enable media udp name UDP1 localip 127.0.0.1\n  # rmmod tipc\r\n\r\n  [] BUG: unable to handle kernel paging request at ffffffffc096bb00\n  [] Workqueue: events 0xffffffffc096bb00\n  [] Call Trace:\n  []  ? process_one_work+0x1a7/0x360\n  []  ? worker_thread+0x30/0x390\n  []  ? create_worker+0x1a0/0x1a0\n  []  ? kthread+0x116/0x130\n  []  ? kthread_flush_work_fn+0x10/0x10\n  []  ? ret_from_fork+0x35/0x40\r\n\r\nWhen removing the TIPC module, the UDP tunnel sock will be delayed to\nrelease in a work queue as sock_release() can't be done in rtnl_lock().\nIf the work queue is schedule to run after the TIPC module is removed,\nkernel will crash as the work queue function cleanup_beareri() code no\nlonger exists when trying to invoke it.\r\n\r\nTo fix it, this patch introduce a member wq_count in tipc_net to track\nthe numbers of work queues in schedule, and  wait and exit until all\nwork queues are done in tipc_exit_net().(CVE-2021-47163)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFS: Fix an Oopsable condition in __nfs_pageio_add_request()\r\n\r\nEnsure that nfs_pageio_error_cleanup() resets the mirror array contents,\nso that the structure reflects the fact that it is now empty.\nAlso change the test in nfs_pageio_do_add_request() to be more robust by\nchecking whether or not the list is empty rather than relying on the\nvalue of pg_count.(CVE-2021-47167)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usbfs: Don't WARN about excessively large memory allocations\r\n\r\nSyzbot found that the kernel generates a WARNing if the user tries to\nsubmit a bulk transfer through usbfs with a buffer that is way too\nlarge.  This isn't a bug in the kernel; it's merely an invalid request\nfrom the user and the usbfs code does handle it correctly.\r\n\r\nIn theory the same thing can happen with async transfers, or with the\npacket descriptor table for isochronous transfers.\r\n\r\nTo prevent the MM subsystem from complaining about these bad\nallocation requests, add the __GFP_NOWARN flag to the kmalloc calls\nfor these buffers.(CVE-2021-47170)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: fix memory leak in smsc75xx_bind\r\n\r\nSyzbot reported memory leak in smsc75xx_bind().\nThe problem was is non-freed memory in case of\nerrors after memory allocation.\r\n\r\nbacktrace:\n  [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]\n  [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]\n  [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460\n  [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728(CVE-2021-47171)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmisc/uss720: fix memory leak in uss720_probe\r\n\r\nuss720_probe forgets to decrease the refcount of usbdev in uss720_probe.\nFix this by decreasing the refcount of usbdev by usb_put_dev.\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888101113800 (size 2048):\n  comm \"kworker/0:1\", pid 7, jiffies 4294956777 (age 28.870s)\n  hex dump (first 32 bytes):\n    ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00  ....1...........\n    00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00  ................\n  backtrace:\n    [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline]\n    [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline]\n    [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582\n    [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]\n    [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]\n    [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline]\n    [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591\n    [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275\n    [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421\n    [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292\n    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294(CVE-2021-47173)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFC: nci: fix memory leak in nci_allocate_device\r\n\r\nnfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev.\nFix this by freeing hci_dev in nci_free_device.\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888111ea6800 (size 1024):\n  comm \"kworker/1:0\", pid 19, jiffies 4294942308 (age 13.580s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff  .........`......\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline]\n    [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline]\n    [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784\n    [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline]\n    [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132\n    [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153\n    [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345\n    [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n    [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554\n    [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740\n    [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846\n    [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431\n    [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914\n    [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491\n    [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109\n    [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164\n    [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n    [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n    [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554(CVE-2021-47180)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nEDAC/thunderx: Fix possible out-of-bounds string access\r\n\r\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\r\n\r\n  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);\n        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n   ...\n   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\n   ...\n   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\r\n\r\n   ...\r\n\r\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\r\n\r\nChange it to strlcat().\r\n\r\n  [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: powermate - fix use-after-free in powermate_config_complete\r\n\r\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\r\n\r\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\r\n\r\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.(CVE-2023-52500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: assert requested protocol is valid\r\n\r\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\r\n\r\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\r\n\r\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Do not call scsi_done() from srp_abort()\r\n\r\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.(CVE-2023-52515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix possible store tearing in neigh_periodic_work()\r\n\r\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\r\n\r\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\r\n\r\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().(CVE-2023-52522)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: fix potential key use-after-free\r\n\r\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().(CVE-2023-52530)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\r\n\r\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\r\n\r\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\r\n\r\n[konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: use DEV_STATS_INC()\r\n\r\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\r\n\r\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\r\n\r\nHandles updates to dev->stats.tx_dropped while we are at it.\r\n\r\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: fix deadlock or deadcode of misusing dget()\r\n\r\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\r\n\r\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.(CVE-2023-52583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/ipoib: Fix mcast list locking\r\n\r\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\r\n\r\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)\n          &priv->multicast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(&priv->lock) |\n                                       |   spin_lock_irqsave(&priv->lock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  &priv->multicast_list, list)\n                                       |     list_del(&mcast->list);\n                                       |     list_add_tail(&mcast->list, &remove_list)\n                                       |   spin_unlock_irqrestore(&priv->lock, flags)\n          spin_lock_irq(&priv->lock)   |\n                                       |   ipoib_mcast_remove_list(&remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv->multicast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it's stack.)\r\n\r\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\r\n\r\ncrash> bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (&priv->mcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           &mcast->list\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (&priv->lock)     &priv->multicast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- <NMI exception stack> ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\r\n\r\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\r\n\r\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\r\n\r\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\r\n\r\ncrash> b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---(CVE-2023-52587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\r\n\r\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\r\n\r\nFound by a modified version of syzkaller.\r\n\r\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt(CVE-2023-52594)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rt2x00: restart beacon queue when hardware reset\r\n\r\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().(CVE-2023-52595)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: fix setting of fpc register\r\n\r\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\r\n\r\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\r\n\r\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\r\n\r\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.(CVE-2023-52597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ptrace: handle setting of fpc register correctly\r\n\r\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\r\n\r\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\r\n\r\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().(CVE-2023-52598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid online resizing failures due to oversized flex bg\r\n\r\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\r\n\r\n     mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n     mount $dev $dir\n     resize2fs $dev 16G\r\n\r\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n <TASK>\n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\r\n\r\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\r\n\r\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\r\n\r\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.(CVE-2023-52622)",
+    "cves": [
+      {
+        "id": "CVE-2023-52622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1914": {
+    "id": "openEuler-SA-2023-1914",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1914",
+    "title": "An update for jettison is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nThose using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40149)\r\n\r\nThose using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.(CVE-2022-40150)\r\n\r\nA stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.(CVE-2022-45685)\r\n\r\nJettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.(CVE-2022-45693)",
+    "cves": [
+      {
+        "id": "CVE-2022-45693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1177": {
+    "id": "openEuler-SA-2021-1177",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1177",
+    "title": "An update for nettle is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Nettle is a cryptographic library designed to fit any context: in crypto toolkits for object-oriented languages, in applications like LSH or GnuPG, or even in kernel space.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-20305)",
+    "cves": [
+      {
+        "id": "CVE-2021-20305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20305",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1683": {
+    "id": "openEuler-SA-2023-1683",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1683",
+    "title": "An update for python-mako is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Python-mako is a template library for Python. It provides a familiar, non-XML syntax which compiles into Python modules for maximum performance. Mako's syntax and API borrows from the best ideas of many others, including Django templates, Cheetah, Myghty, and Genshi.\r\n\r\nSecurity Fix(es):\r\n\r\nSqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.(CVE-2022-40023)",
+    "cves": [
+      {
+        "id": "CVE-2022-40023",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40023",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1121": {
+    "id": "openEuler-SA-2023-1121",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1121",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286)",
+    "cves": [
+      {
+        "id": "CVE-2023-0286",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1315": {
+    "id": "openEuler-SA-2024-1315",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1315",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36764)\r\n\r\nEDK2's Network Package is susceptible to an out-of-bounds read\n vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality.(CVE-2023-45229)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45230)\r\n\r\nEDK2's Network Package is susceptible to an out-of-bounds read\n vulnerability when processing  Neighbor Discovery Redirect message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality.(CVE-2023-45231)\r\n\r\n EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45232)\r\n\r\n EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45233)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45234)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when\r\n\r\n\r\n\r\n\r\n\r\nhandling Server ID option \r\n\r\n\r\n\r\n from a DHCPv6 proxy Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45235)",
+    "cves": [
+      {
+        "id": "CVE-2023-45235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1050": {
+    "id": "openEuler-SA-2024-1050",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1050",
+    "title": "An update for netdata is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "netdata is the fastest way to visualize metrics. It is a resource efficient, highly optimized system for collecting and visualizing any type of realtime time-series data, from CPU usage, disk activity, SQL queries, API calls, web site visitors, etc. netdata tries to visualize the truth of now, in its greatest detail, so that you can get insights of what is happening now and what just happened, on your systems and applications.\r\n\r\nSecurity Fix(es):\r\n\r\nNetdata is an open source option for real-time infrastructure monitoring and troubleshooting. An attacker with the ability to establish a streaming connection can execute arbitrary commands on the targeted Netdata agent. When an alert is triggered, the function `health_alarm_execute` is called. This function performs different checks and then enqueues a command by calling `spawn_enq_cmd`. This command is populated with several arguments that are not sanitized. One of them is the `registry_hostname` of the node for which the alert is raised. By providing a specially crafted `registry_hostname` as part of the health data that is streamed to a Netdata (parent) agent, an attacker can execute arbitrary commands at the remote host as a side-effect of the raised alert. Note that the commands are executed as the user running the Netdata Agent. This user is usually named `netdata`. The ability to run arbitrary commands may allow an attacker to escalate privileges by escalating other vulnerabilities in the system, as that user. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, streaming is not enabled by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.(CVE-2023-22496)\r\n\r\nNetdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via `stream.conf`. On the parent side, users configure in `stream.conf` an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users who expose their Netdata Agents (children) to non-trusted users and they also expose to the same users Netdata Agent parents that aggregate data from all these children. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.(CVE-2023-22497)",
+    "cves": [
+      {
+        "id": "CVE-2023-22497",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22497",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1591": {
+    "id": "openEuler-SA-2024-1591",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1591",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface  will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file.(CVE-2024-32473)",
+    "cves": [
+      {
+        "id": "CVE-2024-32473",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32473",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1221": {
+    "id": "openEuler-SA-2023-1221",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1221",
+    "title": "An update for libldb is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "An extensible library that implements an LDAP like API to access remote LDAP servers, or use local tdb databases.\r\n\r\nSecurity Fix(es):\r\n\r\nThe fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.(CVE-2023-0614)",
+    "cves": [
+      {
+        "id": "CVE-2023-0614",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0614",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1285": {
+    "id": "openEuler-SA-2023-1285",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1285",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user,and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates The MySQL software has Dual Licensing, which means you can use the MySQL software free of charge under the GNU General Public License (http://www.gnu.org/licenses/). You can also purchase commercial MySQL licenses from Oracle and/or its affiliates if you do not wish to be bound by the terms of the GPL. See the chapter \"Licensing and Support\" in the manual for further info.\r\n\r\nSecurity Fix(es):\r\n\r\nzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434)",
+    "cves": [
+      {
+        "id": "CVE-2022-37434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1835": {
+    "id": "openEuler-SA-2023-1835",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1835",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21509)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.38 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21515)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21517)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21522)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21525)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21526)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21527)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21528)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21529)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21530)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21531)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21534)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21537)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21538)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L).(CVE-2022-21539)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21547)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21553)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21569)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.39 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21592)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21594)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21599)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21604)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21608)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21611)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21617)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21625)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21632)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21633)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).(CVE-2022-21635)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21637)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21638)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21640)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21641)\r\n\r\nWhen doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.(CVE-2022-32221)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39400)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39408)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39410)\r\n\r\nA vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.(CVE-2022-43551)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21836)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21863)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21864)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21865)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21867)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21868)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21869)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21870)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21871)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21872)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21873)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21874)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H).(CVE-2023-21875)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21876)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21877)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21878)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21879)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21880)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21881)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21882)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21883)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21887)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21911)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 5.7.41 and prior and  8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21912)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21913)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21917)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21919)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21920)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21929)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21933)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21935)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21940)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21945)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21946)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21947)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21953)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21955)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling).  Supported versions that are affected are 5.7.40 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).  Supported versions that are affected are 5.7.41 and prior and  8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).(CVE-2023-21980)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22005)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 5.7.41 and prior and  8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22007)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.42 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22015)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.42 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22026)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.43 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22028)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22032)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22033)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22038)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22046)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22048)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).  Supported versions that are affected are 5.7.42 and prior and  8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).(CVE-2023-22053)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22056)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22058)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22059)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22064)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22065)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22066)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22068)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22070)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22078)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22079)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22084)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22092)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22097)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22103)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22104)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22110)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22111)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22112)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22113)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22114)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22115)",
+    "cves": [
+      {
+        "id": "CVE-2023-22115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1791": {
+    "id": "openEuler-SA-2022-1791",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1791",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nsoftmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.(CVE-2022-35414)",
+    "cves": [
+      {
+        "id": "CVE-2022-35414",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35414",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1846": {
+    "id": "openEuler-SA-2022-1846",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1846",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThe Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.(CVE-2022-36123)\n\nIn v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel(CVE-2022-20369)",
+    "cves": [
+      {
+        "id": "CVE-2022-20369",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20369",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1389": {
+    "id": "openEuler-SA-2023-1389",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1389",
+    "title": "An update for perl-HTTP-Tiny is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A small, simple, correct HTTP/1.1 client.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486)",
+    "cves": [
+      {
+        "id": "CVE-2023-31486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1697": {
+    "id": "openEuler-SA-2022-1697",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1697",
+    "title": "An update for flac is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "FLAC stands for Free Lossless Audio Codec, an audio format similar to MP3, but lossless, meaning that audio is compressed in FLAC without any loss in quality.\r\n\r\nSecurity Fix(es):\r\n\r\nIn FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156076070(CVE-2020-0499)",
+    "cves": [
+      {
+        "id": "CVE-2020-0499",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0499",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1515": {
+    "id": "openEuler-SA-2022-1515",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1515",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nA BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.(CVE-2021-38576)",
+    "cves": [
+      {
+        "id": "CVE-2021-38576",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38576",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1018": {
+    "id": "openEuler-SA-2023-1018",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1018",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nSince the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).(CVE-2022-45141)\r\n\r\nWindows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.(CVE-2022-37966)",
+    "cves": [
+      {
+        "id": "CVE-2022-37966",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37966",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1805": {
+    "id": "openEuler-SA-2024-1805",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1805",
+    "title": "An update for ffmpeg is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component.(CVE-2023-49502)",
+    "cves": [
+      {
+        "id": "CVE-2023-49502",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49502",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1360": {
+    "id": "openEuler-SA-2021-1360",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1360",
+    "title": "An update for fetchmail is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6, and IPSEC) for retrieval. Then Fetchmail forwards the mail through SMTP so you can read it through your favorite mail client. Install fetchmail if you need to retrieve mail over SLIP or PPP connections.\r\n\r\nSecurity Fix(es):\r\n\r\nFetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.(CVE-2021-39272)",
+    "cves": [
+      {
+        "id": "CVE-2021-39272",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39272",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1322": {
+    "id": "openEuler-SA-2021-1322",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1322",
+    "title": "An update for gstreamer1-plugins-good is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "GStreamer is a streaming media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related.  Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plugins.\r\n\r\nSecurity Fix(es):\n\nGStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.(CVE-2021-3497)\r\n\r\nGStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.(CVE-2021-3498)",
+    "cves": [
+      {
+        "id": "CVE-2021-3498",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3498",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1883": {
+    "id": "openEuler-SA-2023-1883",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1883",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48231)\r\n\r\nVim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48233)\r\n\r\nVim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48234)\r\n\r\nVim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48235)\r\n\r\nVim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48236)\r\n\r\nVim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48237)",
+    "cves": [
+      {
+        "id": "CVE-2023-48237",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2091": {
+    "id": "openEuler-SA-2022-2091",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2091",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain=\"module\" rights=\"none\" pattern=\"PS\" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" />.(CVE-2021-39212)\r\n\r\nA NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2's xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault.(CVE-2021-3596)",
+    "cves": [
+      {
+        "id": "CVE-2021-3596",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3596",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1546": {
+    "id": "openEuler-SA-2023-1546",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1546",
+    "title": "An update for qt is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\n\nSecurity Fix(es):\n\nIn Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.(CVE-2023-32573)",
+    "cves": [
+      {
+        "id": "CVE-2023-32573",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1347": {
+    "id": "openEuler-SA-2024-1347",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1347",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_ct: fix wild memory access when clearing fragments\r\n\r\nwhile testing re-assembly/re-fragmentation using act_ct, it's possible to\nobserve a crash like the following one:\r\n\r\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S                5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS:  0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <IRQ>\n  inet_frag_destroy+0xa9/0x150\n  call_timer_fn+0x2d/0x180\n  run_timer_softirq+0x4fe/0xe70\n  __do_softirq+0x197/0x5a0\n  irq_exit_rcu+0x1de/0x200\n  sysvec_apic_timer_interrupt+0x6b/0x80\n  </IRQ>\r\n\r\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.(CVE-2021-47014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudp: skip L4 aggregation for UDP tunnel packets\r\n\r\nIf NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there\nare UDP tunnels available in the system, udp_gro_receive() could end-up\ndoing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at\nthe outer UDP tunnel level for packets effectively carrying and UDP\ntunnel header.\r\n\r\nThat could cause inner protocol corruption. If e.g. the relevant\npackets carry a vxlan header, different vxlan ids will be ignored/\naggregated to the same GSO packet. Inner headers will be ignored, too,\nso that e.g. TCP over vxlan push packets will be held in the GRO\nengine till the next flush, etc.\r\n\r\nJust skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the\ncurrent packet could land in a UDP tunnel, and let udp_gro_receive()\ndo GRO via udp_sk(sk)->gro_receive.\r\n\r\nThe check implemented in this patch is broader than what is strictly\nneeded, as the existing UDP tunnel could be e.g. configured on top of\na different device: we could end-up skipping GRO at-all for some packets.\r\n\r\nAnyhow, that is a very thin corner case and covering it will add quite\na bit of complexity.\r\n\r\nv1 -> v2:\n - hopefully clarify the commit message(CVE-2021-47036)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix use after free on context disconnection\r\n\r\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.(CVE-2023-52445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: add check that partition length needs to be aligned with block size\r\n\r\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.(CVE-2023-52458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\r\n\r\nsyzbot reported the following uninit-value access issue:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\r\n\r\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\r\n\r\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\r\n\r\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.(CVE-2023-52528)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\r\n\r\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.(CVE-2023-52593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix slab-out-of-bounds Read in dtSearch\r\n\r\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\r\n\r\nDave:\nSet return code to -EIO(CVE-2023-52602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUBSAN: array-index-out-of-bounds in dtSplitRoot\r\n\r\nSyzkaller reported the following issue:\r\n\r\noop0: detected capacity change from 0 to 32768\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n </TASK>\r\n\r\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\r\n\r\nSyzkaller reported the following issue:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\nKernel Offset: disabled\nRebooting in 86400 seconds..\r\n\r\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\r\n\r\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52604)",
+    "cves": [
+      {
+        "id": "CVE-2023-52604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1110": {
+    "id": "openEuler-SA-2023-1110",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1110",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the config_sortlist call, which could potentially cause severe security impact in practical programs.(CVE-2022-4904)",
+    "cves": [
+      {
+        "id": "CVE-2022-4904",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1272": {
+    "id": "openEuler-SA-2024-1272",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1272",
+    "title": "An update for A-Tune-Collector is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "A-Tune-Collector is used to collect various system resources.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the get method in the sched.py file in the A-Tune-Collector software package is used to obtain the process ID, shell command combination and injection risks exist. This flaw could lead to remote arbitrary command execution.(CVE-2024-24897)",
+    "cves": [
+      {
+        "id": "CVE-2024-24897",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1678": {
+    "id": "openEuler-SA-2023-1678",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1678",
+    "title": "An update for opensc is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.(CVE-2023-2977)",
+    "cves": [
+      {
+        "id": "CVE-2023-2977",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2977",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1872": {
+    "id": "openEuler-SA-2022-1872",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1872",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel(CVE-2022-20369)",
+    "cves": [
+      {
+        "id": "CVE-2022-20369",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20369",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1138": {
+    "id": "openEuler-SA-2023-1138",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1138",
+    "title": "An update for mujs is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "MuJS is a lightweight Javascript interpreter designed for embedding in other software to extend them with scripting capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA logical issue in O_getOwnPropertyDescriptor() in Artifex MuJS 1.0.0 through 1.3.x before 1.3.2 allows an attacker to achieve Remote Code Execution through memory corruption, via the loading of a crafted JavaScript file.(CVE-2022-44789)",
+    "cves": [
+      {
+        "id": "CVE-2022-44789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44789",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1535": {
+    "id": "openEuler-SA-2022-1535",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1535",
+    "title": "An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Is an open source JDBC driver written in Pure Java (Type 4), and communicates in the PostgreSQL native network protocol.\r\n\r\nSecurity Fix(es):\r\n\r\npgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.(CVE-2022-21724)",
+    "cves": [
+      {
+        "id": "CVE-2022-21724",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21724",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1579": {
+    "id": "openEuler-SA-2023-1579",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1579",
+    "title": "An update for qt is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.(CVE-2023-32573)",
+    "cves": [
+      {
+        "id": "CVE-2023-32573",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1570": {
+    "id": "openEuler-SA-2023-1570",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1570",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU Binutils are a collection of binary tools.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.(CVE-2021-46174)\r\n\r\nAn issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.(CVE-2022-47008)\r\n\r\nAn issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.(CVE-2022-47011)",
+    "cves": [
+      {
+        "id": "CVE-2022-47011",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1183": {
+    "id": "openEuler-SA-2021-1183",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1183",
+    "title": "An update for exiv2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.(CVE-2021-3482)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.(CVE-2021-29457)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4.(CVE-2021-29458)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4.(CVE-2021-29470)\r\n\r\nExiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4. Please see our security policy for information about Exiv2 security.(CVE-2021-29473)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.(CVE-2021-29463)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.(CVE-2021-29464)",
+    "cves": [
+      {
+        "id": "CVE-2021-29464",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29464",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1953": {
+    "id": "openEuler-SA-2023-1953",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1953",
+    "title": "An update for freeradius is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nIn freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.(CVE-2022-41859)",
+    "cves": [
+      {
+        "id": "CVE-2022-41859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41859",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1759": {
+    "id": "openEuler-SA-2022-1759",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1759",
+    "title": "An update for eclipse is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Eclipse platform is designed for building integrated development environments (IDEs), server-side applications, desktop applications, and everything in between.\r\n\r\nSecurity Fix(es):\r\n\r\nIn versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.(CVE-2020-27225)",
+    "cves": [
+      {
+        "id": "CVE-2020-27225",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27225",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1851": {
+    "id": "openEuler-SA-2024-1851",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1851",
+    "title": "An update for arm-trusted-firmware is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files  https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\r\n\r\n\r\n\r\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\r\n\r\nBuffer overflow in \"rcar_dev_init\"  due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
+    "cves": [
+      {
+        "id": "CVE-2024-6564",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1889": {
+    "id": "openEuler-SA-2022-1889",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1889",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures.The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.(CVE-2021-4209)",
+    "cves": [
+      {
+        "id": "CVE-2021-4209",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4209",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2043": {
+    "id": "openEuler-SA-2022-2043",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2043",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.(CVE-2022-3705)",
+    "cves": [
+      {
+        "id": "CVE-2022-3705",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3705",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1577": {
+    "id": "openEuler-SA-2022-1577",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1577",
+    "title": "An update for obs-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8.(CVE-2020-8031)",
+    "cves": [
+      {
+        "id": "CVE-2020-8031",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8031",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1778": {
+    "id": "openEuler-SA-2023-1778",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1778",
+    "title": "An update for activemq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\r\n\r\nApache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. \r\n\r\nUsers are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.(CVE-2023-46604)",
+    "cves": [
+      {
+        "id": "CVE-2023-46604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46604",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1673": {
+    "id": "openEuler-SA-2022-1673",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1673",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292)",
+    "cves": [
+      {
+        "id": "CVE-2022-1292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1141": {
+    "id": "openEuler-SA-2023-1141",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1141",
+    "title": "An update for haproxy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. \r\n\r\nSecurity Fix(es):\r\n\r\nInitial description: Router PODs frequently getting restarted and haproxy process is receiving the segfault but it is not generating coredump even though the core file size is unlimited.\r\n\r\nUpstream bug: https://github.com/haproxy/haproxy/issues/1972(CVE-2023-0056)\r\n\r\nHAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka \"request smuggling.\" The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.(CVE-2023-25725)",
+    "cves": [
+      {
+        "id": "CVE-2023-25725",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1781": {
+    "id": "openEuler-SA-2024-1781",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1781",
+    "title": "An update for openssh is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().(CVE-2024-6387)",
+    "cves": [
+      {
+        "id": "CVE-2024-6387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6387",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1811": {
+    "id": "openEuler-SA-2023-1811",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1811",
+    "title": "An update for GraphicsMagick is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.(CVE-2020-21679)",
+    "cves": [
+      {
+        "id": "CVE-2020-21679",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21679",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1110": {
+    "id": "openEuler-SA-2024-1110",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1110",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343)\r\n\r\nIn the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042)\r\n\r\nA denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.(CVE-2024-0639)\r\n\r\nIn rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849)",
+    "cves": [
+      {
+        "id": "CVE-2024-23849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1980": {
+    "id": "openEuler-SA-2023-1980",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1980",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+    "cves": [
+      {
+        "id": "CVE-2023-51385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1092": {
+    "id": "openEuler-SA-2024-1092",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1092",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553)",
+    "cves": [
+      {
+        "id": "CVE-2024-0553",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1494": {
+    "id": "openEuler-SA-2024-1494",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1494",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330)\r\n\r\nA double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446)\r\n\r\nA heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of  `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2024-3447)",
+    "cves": [
+      {
+        "id": "CVE-2024-3447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1293": {
+    "id": "openEuler-SA-2023-1293",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1293",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.(CVE-2023-2162)\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system(CVE-2023-2124)\r\n\r\nIn the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.(CVE-2023-32233)",
+    "cves": [
+      {
+        "id": "CVE-2023-32233",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32233",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1645": {
+    "id": "openEuler-SA-2023-1645",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1645",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1860": {
+    "id": "openEuler-SA-2022-1860",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1860",
+    "title": "An update for lua is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.\r\n\r\nSecurity Fix(es):\r\n\r\nUse after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.(CVE-2021-44964)",
+    "cves": [
+      {
+        "id": "CVE-2021-44964",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44964",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1398": {
+    "id": "openEuler-SA-2024-1398",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1398",
+    "title": "An update for rubygem-tzinfo is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "TZInfo provides daylight savings aware transformations between times in different time zones.\r\n\r\nSecurity Fix(es):\r\n\r\nTZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\\A[A-Za-z0-9+\\-_]+(?:\\/[A-Za-z0-9+\\-_]+)*\\z`.(CVE-2022-31163)",
+    "cves": [
+      {
+        "id": "CVE-2022-31163",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31163",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1087": {
+    "id": "openEuler-SA-2023-1087",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1087",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.(CVE-2022-3707)\r\n\r\nA memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.(CVE-2023-0615)",
+    "cves": [
+      {
+        "id": "CVE-2023-0615",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0615",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1944": {
+    "id": "openEuler-SA-2023-1944",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1944",
+    "title": "An update for hsqldb1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (can be run as applets or servlets, too) and a number of demonstration examples. Downloaded code should be regarded as being of production quality. The product is currently being used as a database and persistence engine in many Open Source Software projects and even in commercial projects and products! In it's current version it is extremely stable and reliable. It is best known for its small size, ability to execute completely in memory and its speed. Yet it is a completely functional relational database management system that is completely free under the Modified BSD License. Yes, that's right, completely free of cost or restrictions!\r\n\r\nSecurity Fix(es):\r\n\r\nThose using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, System.setProperty(\"hsqldb.method_class_names\", \"abc\") or Java argument -Dhsqldb.method_class_names=\"abc\" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853)",
+    "cves": [
+      {
+        "id": "CVE-2022-41853",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1887": {
+    "id": "openEuler-SA-2023-1887",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1887",
+    "title": "An update for python-cryptography is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.\r\n\r\nSecurity Fix(es):\r\n\r\ncryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.(CVE-2023-49083)",
+    "cves": [
+      {
+        "id": "CVE-2023-49083",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49083",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1257": {
+    "id": "openEuler-SA-2021-1257",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1257",
+    "title": "An update for PyYAML is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python.\nPyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML supports standard YAML tags and provides Python-specific tags that allow to represent an arbitrary Python object.\nPyYAML is applicable for a broad range of tasks from complex configuration files to object serialization and persistence.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.(CVE-2020-14343)",
+    "cves": [
+      {
+        "id": "CVE-2020-14343",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14343",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1298": {
+    "id": "openEuler-SA-2024-1298",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1298",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix deadlock when cloning inline extents and using qgroups\r\n\r\nThere are a few exceptional cases where cloning an inline extent needs to\ncopy the inline extent data into a page of the destination inode.\r\n\r\nWhen this happens, we end up starting a transaction while having a dirty\npage for the destination inode and while having the range locked in the\ndestination's inode iotree too. Because when reserving metadata space\nfor a transaction we may need to flush existing delalloc in case there is\nnot enough free space, we have a mechanism in place to prevent a deadlock,\nwhich was introduced in commit 3d45f221ce627d (\"btrfs: fix deadlock when\ncloning inline extent and low on free metadata space\").\r\n\r\nHowever when using qgroups, a transaction also reserves metadata qgroup\nspace, which can also result in flushing delalloc in case there is not\nenough available space at the moment. When this happens we deadlock, since\nflushing delalloc requires locking the file range in the inode's iotree\nand the range was already locked at the very beginning of the clone\noperation, before attempting to start the transaction.\r\n\r\nWhen this issue happens, stack traces like the following are reported:\r\n\r\n  [72747.556262] task:kworker/u81:9   state:D stack:    0 pid:  225 ppid:     2 flags:0x00004000\n  [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)\n  [72747.556271] Call Trace:\n  [72747.556273]  __schedule+0x296/0x760\n  [72747.556277]  schedule+0x3c/0xa0\n  [72747.556279]  io_schedule+0x12/0x40\n  [72747.556284]  __lock_page+0x13c/0x280\n  [72747.556287]  ? generic_file_readonly_mmap+0x70/0x70\n  [72747.556325]  extent_write_cache_pages+0x22a/0x440 [btrfs]\n  [72747.556331]  ? __set_page_dirty_nobuffers+0xe7/0x160\n  [72747.556358]  ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]\n  [72747.556362]  ? update_group_capacity+0x25/0x210\n  [72747.556366]  ? cpumask_next_and+0x1a/0x20\n  [72747.556391]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.556394]  do_writepages+0x41/0xd0\n  [72747.556398]  __writeback_single_inode+0x39/0x2a0\n  [72747.556403]  writeback_sb_inodes+0x1ea/0x440\n  [72747.556407]  __writeback_inodes_wb+0x5f/0xc0\n  [72747.556410]  wb_writeback+0x235/0x2b0\n  [72747.556414]  ? get_nr_inodes+0x35/0x50\n  [72747.556417]  wb_workfn+0x354/0x490\n  [72747.556420]  ? newidle_balance+0x2c5/0x3e0\n  [72747.556424]  process_one_work+0x1aa/0x340\n  [72747.556426]  worker_thread+0x30/0x390\n  [72747.556429]  ? create_worker+0x1a0/0x1a0\n  [72747.556432]  kthread+0x116/0x130\n  [72747.556435]  ? kthread_park+0x80/0x80\n  [72747.556438]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n  [72747.566961] Call Trace:\n  [72747.566964]  __schedule+0x296/0x760\n  [72747.566968]  ? finish_wait+0x80/0x80\n  [72747.566970]  schedule+0x3c/0xa0\n  [72747.566995]  wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]\n  [72747.566999]  ? finish_wait+0x80/0x80\n  [72747.567024]  lock_extent_bits+0x37/0x90 [btrfs]\n  [72747.567047]  btrfs_invalidatepage+0x299/0x2c0 [btrfs]\n  [72747.567051]  ? find_get_pages_range_tag+0x2cd/0x380\n  [72747.567076]  __extent_writepage+0x203/0x320 [btrfs]\n  [72747.567102]  extent_write_cache_pages+0x2bb/0x440 [btrfs]\n  [72747.567106]  ? update_load_avg+0x7e/0x5f0\n  [72747.567109]  ? enqueue_entity+0xf4/0x6f0\n  [72747.567134]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.567137]  ? enqueue_task_fair+0x93/0x6f0\n  [72747.567140]  do_writepages+0x41/0xd0\n  [72747.567144]  __filemap_fdatawrite_range+0xc7/0x100\n  [72747.567167]  btrfs_run_delalloc_work+0x17/0x40 [btrfs]\n  [72747.567195]  btrfs_work_helper+0xc2/0x300 [btrfs]\n  [72747.567200]  process_one_work+0x1aa/0x340\n  [72747.567202]  worker_thread+0x30/0x390\n  [72747.567205]  ? create_worker+0x1a0/0x1a0\n  [72747.567208]  kthread+0x116/0x130\n  [72747.567211]  ? kthread_park+0x80/0x80\n  [72747.567214]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.569686] task:fsstress        state:D stack:    \n---truncated---(CVE-2021-46987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Defer the free of inner map when necessary\r\n\r\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\r\n\r\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.(CVE-2023-52447)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\r\n\r\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump().  This can happen when creating\nrgd->rd_gl fails in read_rindex_entry().  Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.(CVE-2023-52448)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\r\n\r\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\r\n\r\nubi_gluebi_init\n  ubi_register_volume_notifier\n    ubi_enumerate_volumes\n      ubi_notify_all\n        gluebi_notify    nb->notifier_call()\n          gluebi_create\n            mtd_device_register\n              mtd_device_parse_register\n                add_mtd_device\n                  blktrans_notify_add   not->add()\n                    ftl_add_mtd         tr->add_mtd()\n                      scan_header\n                        mtd_read\n                          mtd_read_oob\n                            mtd_read_oob_std\n                              gluebi_read   mtd->read()\n                                gluebi->desc - NULL\r\n\r\nDetailed reproduction information available at the Link [1],\r\n\r\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\r\n\r\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.(CVE-2023-52449)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix accesses to uninit stack slots\r\n\r\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\r\n\r\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\r\n\r\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\r\n\r\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\r\n\r\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.(CVE-2023-52452)",
+    "cves": [
+      {
+        "id": "CVE-2023-52452",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1060": {
+    "id": "openEuler-SA-2021-1060",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1060",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.(CVE-2017-9114)\r\n\r\nIn OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.(CVE-2017-9110)\r\n\r\nIn OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.(CVE-2017-9112)\r\n\r\nIn OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.(CVE-2017-9111)\r\n\r\nIn OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.(CVE-2017-9116)\r\n\r\nIn OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.(CVE-2017-9115)\r\n\r\nIn OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.(CVE-2017-9113)\r\n\r\nIn OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it may result in denial of service or possibly unspecified other impact.(CVE-2017-12596)",
+    "cves": [
+      {
+        "id": "CVE-2017-12596",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12596",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1643": {
+    "id": "openEuler-SA-2022-1643",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1643",
+    "title": "An update for python-waitress is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Waitress is meant to be a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. It runs on CPython on Unix and Windows under Python 2.7+ and Python 3.5+. It is also known to run on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1.\n\r\nSecurity Fix(es):\r\n\r\nWaitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1. A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.(CVE-2022-24761)",
+    "cves": [
+      {
+        "id": "CVE-2022-24761",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24761",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1761": {
+    "id": "openEuler-SA-2024-1761",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1761",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.(CVE-2022-3341)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate.(CVE-2023-51798)",
+    "cves": [
+      {
+        "id": "CVE-2023-51798",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51798",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1583": {
+    "id": "openEuler-SA-2024-1583",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1583",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.(CVE-2023-45681)\r\n\r\nA heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2023-47212)",
+    "cves": [
+      {
+        "id": "CVE-2023-47212",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47212",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1907": {
+    "id": "openEuler-SA-2022-1907",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1907",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\t\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\n\t\tYou can refer to https://www.qemu.org for more infortmation.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.(CVE-2022-0216)",
+    "cves": [
+      {
+        "id": "CVE-2022-0216",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0216",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1590": {
+    "id": "openEuler-SA-2023-1590",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1590",
+    "title": "An update for hwloc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "hwloc provides command line tools and a C API to obtain the hierarchical map of key computing elements, such as: NUMA memory nodes, shared caches, processor sockets, processor cores, and processor \"threads\". hwloc also gathers various attributes such as cache and memory information, and is portable across a variety of different operating systems and platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.(CVE-2022-47022)",
+    "cves": [
+      {
+        "id": "CVE-2022-47022",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47022",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1245": {
+    "id": "openEuler-SA-2023-1245",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1245",
+    "title": "An update for nasm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "NASM is the Netwide Assembler, a free portable assembler for the Intel 80x86 microprocessor series, using primarily the traditional Intel instruction mnemonics and syntax. It also provides tools in RDOFF binary format, includes linker, library manager, loader, and information dump.\r\n\r\nSecurity Fix(es):\r\n\r\nNASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856(CVE-2022-44370)",
+    "cves": [
+      {
+        "id": "CVE-2022-44370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44370",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1373": {
+    "id": "openEuler-SA-2024-1373",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1373",
+    "title": "An update for unixODBC is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The unixODBC Project goals are to develop and promote unixODBC to be the definitive standard for ODBC on non MS Windows platforms. This is to include GUI support for both KDE and GNOME.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.(CVE-2024-1013)",
+    "cves": [
+      {
+        "id": "CVE-2024-1013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1477": {
+    "id": "openEuler-SA-2023-1477",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1477",
+    "title": "An update for python-pygments is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.(CVE-2022-40896)",
+    "cves": [
+      {
+        "id": "CVE-2022-40896",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40896",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1639": {
+    "id": "openEuler-SA-2024-1639",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1639",
+    "title": "An update for iperf3 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in \"Everlasting ROBOT: the Marvin Attack\" by Hubert Kario.(CVE-2024-26306)",
+    "cves": [
+      {
+        "id": "CVE-2024-26306",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26306",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1604": {
+    "id": "openEuler-SA-2024-1604",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1604",
+    "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in \"Everlasting ROBOT: the Marvin Attack\" by Hubert Kario.(CVE-2024-26306)",
+    "cves": [
+      {
+        "id": "CVE-2024-26306",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26306",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1078": {
+    "id": "openEuler-SA-2023-1078",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1078",
+    "title": "An update for libXpm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "X.Org X11 libXpm runtime library\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.(CVE-2022-4883)\r\n\r\nA flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.(CVE-2022-44617)\r\n\r\nA flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.(CVE-2022-46285)",
+    "cves": [
+      {
+        "id": "CVE-2022-46285",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46285",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1622": {
+    "id": "openEuler-SA-2023-1622",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1622",
+    "title": "An update for php is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PHP. This issue occurs due to an uncaught integer overflow in PDO::quote() of PDO_SQLite returning an improperly quoted string. With the implementation of sqlite3_snprintf(), it is possible to force the function to return a single apostrophe if the function is called on user-supplied input without any length restrictions in place.(CVE-2022-31631)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.(CVE-2023-0567)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. (CVE-2023-0568)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. (CVE-2023-0662)\r\n\r\nIn PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \r\n\r\n(CVE-2023-3247)\r\n\r\nIn PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \r\n\r\n(CVE-2023-3823)\r\n\r\nIn PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \r\n\r\n(CVE-2023-3824)",
+    "cves": [
+      {
+        "id": "CVE-2023-3824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1718": {
+    "id": "openEuler-SA-2022-1718",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1718",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nInconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.(CVE-2022-26377)\r\n\r\nThe ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.(CVE-2022-28614)\r\n\r\nApache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.(CVE-2022-28615)\r\n\r\nIn Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.(CVE-2022-29404)\r\n\r\nApache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.(CVE-2022-30556)\r\n\r\nApache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.(CVE-2022-31813)\r\n\r\nIf Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.(CVE-2022-30522)",
+    "cves": [
+      {
+        "id": "CVE-2022-30522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1531": {
+    "id": "openEuler-SA-2024-1531",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1531",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\r\n\r\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\r\n\r\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\r\n\r\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.(CVE-2024-2511)",
+    "cves": [
+      {
+        "id": "CVE-2024-2511",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1654": {
+    "id": "openEuler-SA-2024-1654",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1654",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nMemory handling issue in editcap could cause denial of service via crafted capture file(CVE-2024-4853)\r\n\r\nUse after free issue in editcap could cause denial of service via crafted capture file(CVE-2024-4855)",
+    "cves": [
+      {
+        "id": "CVE-2024-4855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4855",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1035": {
+    "id": "openEuler-SA-2023-1035",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1035",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.(CVE-2022-2873)\r\n\r\nAn incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.(CVE-2022-3903)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference.(CVE-2022-3104)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().(CVE-2022-3111)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.(CVE-2022-3107)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.(CVE-2022-3112)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.(CVE-2022-3113)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.(CVE-2022-3115)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.(CVE-2022-3114)\r\n\r\nA regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a(CVE-2022-2196)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.(CVE-2022-47942)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.(CVE-2022-47940)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.(CVE-2022-47943)",
+    "cves": [
+      {
+        "id": "CVE-2022-47943",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47943",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1218": {
+    "id": "openEuler-SA-2021-1218",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1218",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.(CVE-2021-20181)",
+    "cves": [
+      {
+        "id": "CVE-2021-20181",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20181",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1679": {
+    "id": "openEuler-SA-2023-1679",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1679",
+    "title": "An update for opensc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.(CVE-2023-2977)",
+    "cves": [
+      {
+        "id": "CVE-2023-2977",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2977",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1751": {
+    "id": "openEuler-SA-2022-1751",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1751",
+    "title": "An update for uboot-tools is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package includes the mkimage program, which allows generation of U-Boot images in various formats, and the fw_printenv and fw_setenv programs to read and modify U-Boot's environment.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the \"i2c md\" command enables the corruption of the return address pointer of the do_i2c_md function.(CVE-2022-34835)",
+    "cves": [
+      {
+        "id": "CVE-2022-34835",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34835",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1550": {
+    "id": "openEuler-SA-2024-1550",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1550",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\r\n\r\n(CVE-2024-3177)",
+    "cves": [
+      {
+        "id": "CVE-2024-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1967": {
+    "id": "openEuler-SA-2022-1967",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1967",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.(CVE-2022-40307)\n\nA flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2022-3239)",
+    "cves": [
+      {
+        "id": "CVE-2022-3239",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1587": {
+    "id": "openEuler-SA-2024-1587",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1587",
+    "title": "An update for less is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Less is a pager. A pager is a program that displays text files. Other pagers commonly in use are more and pg. Pagers are often used in command-line environments like the Unix shell and the MS-DOS command prompt to display files.\r\n\r\nSecurity Fix(es):\r\n\r\nless through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.(CVE-2024-32487)",
+    "cves": [
+      {
+        "id": "CVE-2024-32487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1079": {
+    "id": "openEuler-SA-2023-1079",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1079",
+    "title": "An update for tpm2-tss is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system APIs which provides TPM2.0 specified APIs for applications to access TPM module through kernel TPM drivers.\r\n\r\nSecurity Fix(es):\r\n\r\ntpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.(CVE-2023-22745)",
+    "cves": [
+      {
+        "id": "CVE-2023-22745",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22745",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1038": {
+    "id": "openEuler-SA-2024-1038",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1038",
+    "title": "An update for jersey is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Jersey is the open source JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. %if\r\n\r\nSecurity Fix(es):\r\n\r\nEclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.(CVE-2021-28168)",
+    "cves": [
+      {
+        "id": "CVE-2021-28168",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1362": {
+    "id": "openEuler-SA-2024-1362",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1362",
+    "title": "An update for telnet is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. The package includes a remote login client program for telnet and a server daemon.\r\n\r\nSecurity Fix(es):\r\n\r\ntelnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028)",
+    "cves": [
+      {
+        "id": "CVE-2022-39028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1705": {
+    "id": "openEuler-SA-2024-1705",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1705",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: cdc_eem: fix tx fixup skb leak\r\n\r\nwhen usbnet transmit a skb, eem fixup it in eem_tx_fixup(),\nif skb_copy_expand() failed, it return NULL,\nusbnet_start_xmit() will have no chance to free original skb.\r\n\r\nfix it by free orginal skb in eem_tx_fixup() first,\nthen check skb clone status, if failed, return NULL to usbnet.(CVE-2021-47236)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix use-after-free in gfs2_glock_shrink_scan\r\n\r\nThe GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to\nremove the glock from the lru list in __gfs2_glock_put().\r\n\r\nOn the shrink scan path, the same flag is cleared under lru_lock but because\nof cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the\nput side can be made without deleting the glock from the lru list.\r\n\r\nKeep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to\nensure correct behavior on both sides - clear GLF_LRU after list_del under\nlru_lock.(CVE-2021-47254)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Decrease sock refcount when sock timers expire\r\n\r\nCommit 63346650c1a9 (\"netrom: switch to sock timer API\") switched to use\nsock timer API. It replaces mod_timer() by sk_reset_timer(), and\ndel_timer() by sk_stop_timer().\r\n\r\nFunction sk_reset_timer() will increase the refcount of sock if it is\ncalled on an inactive timer, hence, in case the timer expires, we need to\ndecrease the refcount ourselves in the handler, otherwise, the sock\nrefcount will be unbalanced and the sock will never be freed.(CVE-2021-47294)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmemory: fsl_ifc: fix leak of IO mapping on probe failure\r\n\r\nOn probe error the driver should unmap the IO memory.  Smatch reports:\r\n\r\n  drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298.(CVE-2021-47315)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: Fix possible use-after-free in wdt_startup()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47324)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: megaraid_sas: Fix resource leak in case of probe failure\r\n\r\nThe driver doesn't clean up all the allocated resources properly when\nscsi_add_host(), megasas_start_aen() function fails during the PCI device\nprobe.\r\n\r\nClean up all those resources.(CVE-2021-47329)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipack: ipoctal: fix module reference leak\r\n\r\nA reference to the carrier module was taken on every open but was only\nreleased once when the final reference to the tty struct was dropped.\r\n\r\nFix this by taking the module reference and initialising the tty driver\ndata when installing the tty.(CVE-2021-47403)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc2: check return value after calling platform_get_resource()\r\n\r\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.(CVE-2021-47409)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni40e: Fix freeing of uninitialized misc IRQ vector\r\n\r\nWhen VSI set up failed in i40e_probe() as part of PF switch set up\ndriver was trying to free misc IRQ vectors in\ni40e_clear_interrupt_scheme and produced a kernel Oops:\r\n\r\n   Trying to free already-free IRQ 266\n   WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300\n   Workqueue: events work_for_cpu_fn\n   RIP: 0010:__free_irq+0x9a/0x300\n   Call Trace:\n   ? synchronize_irq+0x3a/0xa0\n   free_irq+0x2e/0x60\n   i40e_clear_interrupt_scheme+0x53/0x190 [i40e]\n   i40e_probe.part.108+0x134b/0x1a40 [i40e]\n   ? kmem_cache_alloc+0x158/0x1c0\n   ? acpi_ut_update_ref_count.part.1+0x8e/0x345\n   ? acpi_ut_update_object_reference+0x15e/0x1e2\n   ? strstr+0x21/0x70\n   ? irq_get_irq_data+0xa/0x20\n   ? mp_check_pin_attr+0x13/0xc0\n   ? irq_get_irq_data+0xa/0x20\n   ? mp_map_pin_to_irq+0xd3/0x2f0\n   ? acpi_register_gsi_ioapic+0x93/0x170\n   ? pci_conf1_read+0xa4/0x100\n   ? pci_bus_read_config_word+0x49/0x70\n   ? do_pci_enable_device+0xcc/0x100\n   local_pci_probe+0x41/0x90\n   work_for_cpu_fn+0x16/0x20\n   process_one_work+0x1a7/0x360\n   worker_thread+0x1cf/0x390\n   ? create_worker+0x1a0/0x1a0\n   kthread+0x112/0x130\n   ? kthread_flush_work_fn+0x10/0x10\n   ret_from_fork+0x1f/0x40\r\n\r\nThe problem is that at that point misc IRQ vectors\nwere not allocated yet and we get a call trace\nthat driver is trying to free already free IRQ vectors.\r\n\r\nAdd a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED\nPF state before calling i40e_free_misc_vector. This state is set only if\nmisc IRQ vectors were properly initialized.(CVE-2021-47424)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix data corruption after conversion from inline format\r\n\r\nCommit 6dbf7bb55598 (\"fs: Don't invalidate page buffers in\nblock_write_full_page()\") uncovered a latent bug in ocfs2 conversion\nfrom inline inode format to a normal inode format.\r\n\r\nThe code in ocfs2_convert_inline_data_to_extents() attempts to zero out\nthe whole cluster allocated for file data by grabbing, zeroing, and\ndirtying all pages covering this cluster.  However these pages are\nbeyond i_size, thus writeback code generally ignores these dirty pages\nand no blocks were ever actually zeroed on the disk.\r\n\r\nThis oversight was fixed by commit 693c241a5f6a (\"ocfs2: No need to zero\npages past i_size.\") for standard ocfs2 write path, inline conversion\npath was apparently forgotten; the commit log also has a reasoning why\nthe zeroing actually is not needed.\r\n\r\nAfter commit 6dbf7bb55598, things became worse as writeback code stopped\ninvalidating buffers on pages beyond i_size and thus these pages end up\nwith clean PageDirty bit but with buffers attached to these pages being\nstill dirty.  So when a file is converted from inline format, then\nwriteback triggers, and then the file is grown so that these pages\nbecome valid, the invalid dirtiness state is preserved,\nmark_buffer_dirty() does nothing on these pages (buffers are already\ndirty) but page is never written back because it is clean.  So data\nwritten to these pages is lost once pages are reclaimed.\r\n\r\nSimple reproducer for the problem is:\r\n\r\n  xfs_io -f -c \"pwrite 0 2000\" -c \"pwrite 2000 2000\" -c \"fsync\" \\\n    -c \"pwrite 4000 2000\" ocfs2_file\r\n\r\nAfter unmounting and mounting the fs again, you can observe that end of\n'ocfs2_file' has lost its contents.\r\n\r\nFix the problem by not doing the pointless zeroing during conversion\nfrom inline format similarly as in the standard write path.\r\n\r\n[akpm@linux-foundation.org: fix whitespace, per Joseph](CVE-2021-47460)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: ni_usb6501: fix NULL-deref in command paths\r\n\r\nThe driver uses endpoint-sized USB transfer buffers but had no sanity\nchecks on the sizes. This can lead to zero-size-pointer dereferences or\noverflowed transfer buffers in ni6501_port_command() and\nni6501_counter_command() if a (malicious) device has smaller max-packet\nsizes than expected (or when doing descriptor fuzz testing).\r\n\r\nAdd the missing sanity checks to probe().(CVE-2021-47476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nisofs: Fix out of bound access for corrupted isofs image\r\n\r\nWhen isofs image is suitably corrupted isofs_read_inode() can read data\nbeyond the end of buffer. Sanity-check the directory entry length before\nusing it.(CVE-2021-47478)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nstaging: rtl8712: fix use-after-free in rtl8712_dl_fw\r\n\r\nSyzbot reported use-after-free in rtl8712_dl_fw(). The problem was in\nrace condition between r871xu_dev_remove() ->ndo_open() callback.\r\n\r\nIt's easy to see from crash log, that driver accesses released firmware\nin ->ndo_open() callback. It may happen, since driver was releasing\nfirmware _before_ unregistering netdev. Fix it by moving\nunregister_netdev() before cleaning up resources.\r\n\r\nCall Trace:\n...\n rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline]\n rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170\n rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline]\n rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394\n netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380\n __dev_open+0x2bc/0x4d0 net/core/dev.c:1484\r\n\r\nFreed by task 1306:\n...\n release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053\n r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599\n usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458(CVE-2021-47479)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: accel: kxcjk-1013: Fix possible memory leak in probe and remove\r\n\r\nWhen ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the\nmemory allocated by iio_triggered_buffer_setup() will not be freed, and cause\nmemory leak as follows:\r\n\r\nunreferenced object 0xffff888009551400 (size 512):\n  comm \"i2c-SMO8500-125\", pid 911, jiffies 4294911787 (age 83.852s)\n  hex dump (first 32 bytes):\n    02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff  ........ .......\n  backtrace:\n    [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360\n    [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf]\n    [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer]\n    [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013]\r\n\r\nFix it by remove data->dready_trig condition in probe and remove.(CVE-2021-47499)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: pcm: oss: Fix negative period/buffer sizes\r\n\r\nThe period size calculation in OSS layer may receive a negative value\nas an error, but the code there assumes only the positive values and\nhandle them with size_t.  Due to that, a too big value may be passed\nto the lower layers.\r\n\r\nThis patch changes the code to handle with ssize_t and adds the proper\nerror checks appropriately.(CVE-2021-47511)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done\r\n\r\nThe done() netlink callback nfc_genl_dump_ses_done() should check if\nreceived argument is non-NULL, because its allocation could fail earlier\nin dumpit() (nfc_genl_dump_ses()).(CVE-2021-47518)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()\r\n\r\nNeed to call rxrpc_put_local() for peer candidate before kfree() as it\nholds a ref to rxrpc_local.\r\n\r\n[DH: v2: Changed to abstract the peer freeing code out into a function](CVE-2021-47538)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()\r\n\r\nIn mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and\ntmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().\nAfter that mlx4_en_alloc_resources() is called and there is a dereference\nof &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to\na use after free problem on failure of mlx4_en_copy_priv().\r\n\r\nFix this bug by adding a check of mlx4_en_copy_priv()\r\n\r\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\r\n\r\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\r\n\r\nBuilds with CONFIG_MLX4_EN=m show no new warnings,\nand our static analyzer no longer warns about this code.(CVE-2021-47541)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()\r\n\r\nIn qlcnic_83xx_add_rings(), the indirect function of\nahw->hw_ops->alloc_mbx_args will be called to allocate memory for\ncmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),\nwhich could lead to a NULL pointer dereference on failure of the\nindirect function like qlcnic_83xx_alloc_mbx_args().\r\n\r\nFix this bug by adding a check of alloc_mbx_args(), this patch\nimitates the logic of mbx_cmd()'s failure handling.\r\n\r\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\r\n\r\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\r\n\r\nBuilds with CONFIG_QLCNIC=m show no new warnings, and our\nstatic analyzer no longer warns about this code.(CVE-2021-47542)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2021-47543)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: fix page frag corruption on page fault\r\n\r\nSteffen reported a TCP stream corruption for HTTP requests\nserved by the apache web-server using a cifs mount-point\nand memory mapping the relevant file.\r\n\r\nThe root cause is quite similar to the one addressed by\ncommit 20eb4f29b602 (\"net: fix sk_page_frag() recursion from\nmemory reclaim\"). Here the nested access to the task page frag\nis caused by a page fault on the (mmapped) user-space memory\nbuffer coming from the cifs file.\r\n\r\nThe page fault handler performs an smb transaction on a different\nsocket, inside the same process context. Since sk->sk_allaction\nfor such socket does not prevent the usage for the task_frag,\nthe nested allocation modify \"under the hood\" the page frag\nin use by the outer sendmsg call, corrupting the stream.\r\n\r\nThe overall relevant stack trace looks like the following:\r\n\r\nhttpd 78268 [001] 3461630.850950:      probe:tcp_sendmsg_locked:\n        ffffffff91461d91 tcp_sendmsg_locked+0x1\n        ffffffff91462b57 tcp_sendmsg+0x27\n        ffffffff9139814e sock_sendmsg+0x3e\n        ffffffffc06dfe1d smb_send_kvec+0x28\n        [...]\n        ffffffffc06cfaf8 cifs_readpages+0x213\n        ffffffff90e83c4b read_pages+0x6b\n        ffffffff90e83f31 __do_page_cache_readahead+0x1c1\n        ffffffff90e79e98 filemap_fault+0x788\n        ffffffff90eb0458 __do_fault+0x38\n        ffffffff90eb5280 do_fault+0x1a0\n        ffffffff90eb7c84 __handle_mm_fault+0x4d4\n        ffffffff90eb8093 handle_mm_fault+0xc3\n        ffffffff90c74f6d __do_page_fault+0x1ed\n        ffffffff90c75277 do_page_fault+0x37\n        ffffffff9160111e page_fault+0x1e\n        ffffffff9109e7b5 copyin+0x25\n        ffffffff9109eb40 _copy_from_iter_full+0xe0\n        ffffffff91462370 tcp_sendmsg_locked+0x5e0\n        ffffffff91462370 tcp_sendmsg_locked+0x5e0\n        ffffffff91462b57 tcp_sendmsg+0x27\n        ffffffff9139815c sock_sendmsg+0x4c\n        ffffffff913981f7 sock_write_iter+0x97\n        ffffffff90f2cc56 do_iter_readv_writev+0x156\n        ffffffff90f2dff0 do_iter_write+0x80\n        ffffffff90f2e1c3 vfs_writev+0xa3\n        ffffffff90f2e27c do_writev+0x5c\n        ffffffff90c042bb do_syscall_64+0x5b\n        ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65\r\n\r\nThe cifs filesystem rightfully sets sk_allocations to GFP_NOFS,\nwe can avoid the nesting using the sk page frag for allocation\nlacking the __GFP_FS flag. Do not define an additional mm-helper\nfor that, as this is strictly tied to the sk page frag usage.\r\n\r\nv1 -> v2:\n - use a stricted sk_page_frag() check instead of reordering the\n   code (Eric)(CVE-2021-47544)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound\r\n\r\nIn line 5001, if all id in the array 'lp->phy[8]' is not 0, when the\n'for' end, the 'k' is 8.\r\n\r\nAt this time, the array 'lp->phy[8]' may be out of bound.(CVE-2021-47547)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check in opal_event_init()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix underflow in second superblock position calculations\r\n\r\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes.  Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\r\n\r\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\r\n\r\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\r\n\r\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks.  This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\r\n\r\n INFO: task segctord:5067 blocked for more than 143 seconds.\n      Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord        state:D stack:23456 pid:5067  ppid:2\n flags:0x00004000\n Call Trace:\n  <TASK>\n  context_switch kernel/sched/core.c:5293 [inline]\n  __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n  schedule+0xc3/0x190 kernel/sched/core.c:6682\n  rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n  nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n  nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n  kthread+0x270/0x300 kernel/kthread.c:376\n  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n  </TASK>\n ...\n Call Trace:\n  <TASK>\n  folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n  __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n  nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n  nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n  nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n  nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n  nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n  nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n  nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n  nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n  nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n  nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n  ...\r\n\r\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.(CVE-2023-52705)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Avoid NULL dereference of timing generator\r\n\r\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.(CVE-2023-52753)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: imon: fix access to invalid resource for the second interface\r\n\r\nimon driver probes two USB interfaces, and at the probe of the second\ninterface, the driver assumes blindly that the first interface got\nbound with the same imon driver.  It's usually true, but it's still\npossible that the first interface is bound with another driver via a\nmalformed descriptor.  Then it may lead to a memory corruption, as\nspotted by syzkaller; imon driver accesses the data from drvdata as\nstruct imon_context object although it's a completely different one\nthat was assigned by another driver.\r\n\r\nThis patch adds a sanity check -- whether the first interface is\nreally bound with the imon driver or not -- for avoiding the problem\nabove at the probe time.(CVE-2023-52754)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52756)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: protect device queue against concurrent access\r\n\r\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\r\n\r\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.(CVE-2023-52774)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\r\n\r\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\r\n\r\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\r\n\r\nThis error can be catched by KASAN:\n=========================================================\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[  250.500549] Workqueue: events rpc_free_client_work\n[  250.501001] Call Trace:\n[  250.502880]  kasan_report+0xb6/0xf0\n[  250.503209]  ? dget_parent+0x195/0x200\n[  250.503561]  dget_parent+0x195/0x200\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\n[  250.505195]  rpc_free_client_work+0xe4/0x230\n[  250.505598]  process_one_work+0x8ee/0x13b0\n...\n[   22.039056] Allocated by task 244:\n[   22.039390]  kasan_save_stack+0x22/0x50\n[   22.039758]  kasan_set_track+0x25/0x30\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\n[   22.040889]  __d_alloc+0x31/0x8e0\n[   22.041207]  d_alloc+0x44/0x1f0\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\n[   22.042459]  rpc_create_client_dir+0x34/0x150\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\n[   22.043284]  rpc_client_register+0x136/0x4e0\n[   22.043689]  rpc_new_client+0x911/0x1020\n[   22.044057]  rpc_create_xprt+0xcb/0x370\n[   22.044417]  rpc_create+0x36b/0x6c0\n...\n[   22.049524] Freed by task 0:\n[   22.049803]  kasan_save_stack+0x22/0x50\n[   22.050165]  kasan_set_track+0x25/0x30\n[   22.050520]  kasan_save_free_info+0x2b/0x50\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\n[   22.051306]  kmem_cache_free+0xa5/0x390\n[   22.051667]  rcu_core+0x62c/0x1930\n[   22.051995]  __do_softirq+0x165/0x52a\n[   22.052347]\n[   22.052503] Last potentially related work creation:\n[   22.052952]  kasan_save_stack+0x22/0x50\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\n[   22.054209]  dentry_free+0xb2/0x140\n[   22.054540]  __dentry_kill+0x3be/0x540\n[   22.054900]  shrink_dentry_list+0x199/0x510\n[   22.055293]  shrink_dcache_parent+0x190/0x240\n[   22.055703]  do_one_tree+0x11/0x40\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\n[   22.056461]  generic_shutdown_super+0x70/0x590\n[   22.056879]  kill_anon_super+0x3a/0x60\n[   22.057234]  rpc_kill_sb+0x121/0x200(CVE-2023-52803)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nplatform/x86: wmi: Fix opening of char device\r\n\r\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\r\n\r\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.(CVE-2023-52864)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: qcom: llcc: Handle a second device without data corruption\r\n\r\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.(CVE-2023-52871)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi/capsule-loader: fix incorrect allocation size\r\n\r\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\r\n\r\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n  295 |         cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n      |                        ^\r\n\r\nUse the correct type instead here.(CVE-2024-27413)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI/PM: Drain runtime-idle callbacks before driver removal\r\n\r\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\r\n\r\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that.  It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\r\n\r\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete.  In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\r\n\r\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync().  [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\r\n\r\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point.  A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.(CVE-2024-35809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\r\n\r\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\r\n\r\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\r\n\r\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\r\n\r\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\r\n\r\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\r\n\r\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\r\n\r\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\r\n\r\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free](CVE-2024-35811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nerspan: make sure erspan_base_hdr is present in skb->head\r\n\r\nsyzbot reported a problem in ip6erspan_rcv() [1]\r\n\r\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\r\n\r\nAdd the missing pskb_may_pull() calls.\r\n\r\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n    because skb->head might have changed.\r\n\r\n[1]\r\n\r\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n  pskb_may_pull include/linux/skbuff.h:2756 [inline]\n  ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n  gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:460 [inline]\n  ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n  netif_receive_skb_internal net/core/dev.c:5738 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n  tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  tun_alloc_skb drivers/net/tun.c:1525 [inline]\n  tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0(CVE-2024-35888)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: validate user input for expected length\r\n\r\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\r\n\r\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\r\n\r\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n  do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n  nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n </TASK>\r\n\r\nAllocated by task 7238:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:4069 [inline]\n  __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n  kmalloc_noprof include/linux/slab.h:664 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\r\n\r\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\r\n\r\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---(CVE-2024-35896)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: smbus: fix NULL function pointer dereference\r\n\r\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\r\n\r\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions](CVE-2024-35984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\r\n\r\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.(CVE-2024-36017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: sdhci-msm: pervent access to suspended controller\r\n\r\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.(CVE-2024-36029)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix out-of-bounds access in ops_init\r\n\r\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\r\n\r\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\r\n\r\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.(CVE-2024-36883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\r\n\r\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\r\n\r\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\r\n\r\n[1]\r\n\r\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS:  00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n  fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n  ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n  ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n  ip6_route_output include/net/ip6_route.h:93 [inline]\n  ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n  ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n  sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n  sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n  sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n  sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n  __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix potential uninit-value access in __ip6_make_skb()\r\n\r\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.(CVE-2024-36903)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: fix overflow in blk_ioctl_discard()\r\n\r\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n  start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.(CVE-2024-36917)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\r\n\r\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock.  Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.(CVE-2024-36924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix a possible memleak in tipc_buf_append\r\n\r\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.(CVE-2024-36954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/9p: only translate RWX permissions for plain 9P2000\r\n\r\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.(CVE-2024-36964)",
+    "cves": [
+      {
+        "id": "CVE-2021-47538",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47538",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2021-47547",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47547",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36917",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36964",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1796": {
+    "id": "openEuler-SA-2022-1796",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1796",
+    "title": "An update for raptor2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Raptor is Redland's RDF parser toolkit, which provides a set of independent RDF parsers to generate triples from RDF / XML or N-Triples.\r\n\r\nSecurity Fix(es):\r\n\r\nA malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.(CVE-2020-25713)",
+    "cves": [
+      {
+        "id": "CVE-2020-25713",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25713",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1370": {
+    "id": "openEuler-SA-2024-1370",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1370",
+    "title": "An update for unixODBC is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The unixODBC Project goals are to develop and promote unixODBC to be the definitive standard for ODBC on non MS Windows platforms. This is to include GUI support for both KDE and GNOME.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.(CVE-2024-1013)",
+    "cves": [
+      {
+        "id": "CVE-2024-1013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1348": {
+    "id": "openEuler-SA-2024-1348",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1348",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_ct: fix wild memory access when clearing fragments\r\n\r\nwhile testing re-assembly/re-fragmentation using act_ct, it's possible to\nobserve a crash like the following one:\r\n\r\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S                5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS:  0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <IRQ>\n  inet_frag_destroy+0xa9/0x150\n  call_timer_fn+0x2d/0x180\n  run_timer_softirq+0x4fe/0xe70\n  __do_softirq+0x197/0x5a0\n  irq_exit_rcu+0x1de/0x200\n  sysvec_apic_timer_interrupt+0x6b/0x80\n  </IRQ>\r\n\r\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.(CVE-2021-47014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudp: skip L4 aggregation for UDP tunnel packets\r\n\r\nIf NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there\nare UDP tunnels available in the system, udp_gro_receive() could end-up\ndoing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at\nthe outer UDP tunnel level for packets effectively carrying and UDP\ntunnel header.\r\n\r\nThat could cause inner protocol corruption. If e.g. the relevant\npackets carry a vxlan header, different vxlan ids will be ignored/\naggregated to the same GSO packet. Inner headers will be ignored, too,\nso that e.g. TCP over vxlan push packets will be held in the GRO\nengine till the next flush, etc.\r\n\r\nJust skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the\ncurrent packet could land in a UDP tunnel, and let udp_gro_receive()\ndo GRO via udp_sk(sk)->gro_receive.\r\n\r\nThe check implemented in this patch is broader than what is strictly\nneeded, as the existing UDP tunnel could be e.g. configured on top of\na different device: we could end-up skipping GRO at-all for some packets.\r\n\r\nAnyhow, that is a very thin corner case and covering it will add quite\na bit of complexity.\r\n\r\nv1 -> v2:\n - hopefully clarify the commit message(CVE-2021-47036)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix use after free on context disconnection\r\n\r\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.(CVE-2023-52445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: add check that partition length needs to be aligned with block size\r\n\r\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.(CVE-2023-52458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\r\n\r\nsyzbot reported the following uninit-value access issue:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\r\n\r\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\r\n\r\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\r\n\r\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.(CVE-2023-52528)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\r\n\r\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.(CVE-2023-52593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix slab-out-of-bounds Read in dtSearch\r\n\r\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\r\n\r\nDave:\nSet return code to -EIO(CVE-2023-52602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUBSAN: array-index-out-of-bounds in dtSplitRoot\r\n\r\nSyzkaller reported the following issue:\r\n\r\noop0: detected capacity change from 0 to 32768\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n </TASK>\r\n\r\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\r\n\r\nSyzkaller reported the following issue:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\nKernel Offset: disabled\nRebooting in 86400 seconds..\r\n\r\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\r\n\r\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52604)",
+    "cves": [
+      {
+        "id": "CVE-2023-52604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1263": {
+    "id": "openEuler-SA-2024-1263",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1263",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_image is a single file MIT licensed library for processing images.  It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed(CVE-2023-45666)\r\n\r\nstb_image is a single file MIT licensed library for processing images.\r\n\r\nIf `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.(CVE-2023-45667)",
+    "cves": [
+      {
+        "id": "CVE-2023-45667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45667",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1407": {
+    "id": "openEuler-SA-2021-1407",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1407",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.(CVE-2020-26141)\r\n\r\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.(CVE-2020-26145)\r\n\r\nAn issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.(CVE-2021-42252)\n\nThe firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.(CVE-2021-42739)",
+    "cves": [
+      {
+        "id": "CVE-2021-42739",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42739",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1946": {
+    "id": "openEuler-SA-2022-1946",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1946",
+    "title": "An update for logback is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Logback is intended as a successor to the popular log4j project.\r\n\r\nSecurity Fix(es):\r\n\r\nIn logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.(CVE-2021-42550)",
+    "cves": [
+      {
+        "id": "CVE-2021-42550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42550",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1416": {
+    "id": "openEuler-SA-2024-1416",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1416",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31080)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31081)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31082)\r\n\r\nA use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.(CVE-2024-31083)",
+    "cves": [
+      {
+        "id": "CVE-2024-31083",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31083",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1911": {
+    "id": "openEuler-SA-2022-1911",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1911",
+    "title": "An update for dpdk is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "DPDK core includes kernel modules, core libraries and tools.testpmd application allows to test fast packet processing environments on arm64 platforms. For instance, it can be used to check that environment can support fast path applications such as 6WINDGate, pktgen, rumptcpip, etc. More libraries are available as extensions in other packages.\r\n\r\nSecurity Fix(es):\r\n\r\nA permissive list of allowed inputs flaw was found in DPDK. This issue allows a remote attacker to cause a denial of service triggered by sending a crafted Vhost header to DPDK.(CVE-2022-2132)",
+    "cves": [
+      {
+        "id": "CVE-2022-2132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2132",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1957": {
+    "id": "openEuler-SA-2023-1957",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1957",
+    "title": "An update for libgit2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language which supports C bindings.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.(CVE-2023-22742)",
+    "cves": [
+      {
+        "id": "CVE-2023-22742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1687": {
+    "id": "openEuler-SA-2022-1687",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1687",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\n\nSecurity Fix(es):\n\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.(CVE-2022-1733)\n\nClassic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.(CVE-2022-1735)",
+    "cves": [
+      {
+        "id": "CVE-2022-1735",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1735",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1738": {
+    "id": "openEuler-SA-2022-1738",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1738",
+    "title": "An update for libreswan is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN.\r\n\r\nSecurity Fix(es):\r\n\r\nLibreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.(CVE-2022-23094)",
+    "cves": [
+      {
+        "id": "CVE-2022-23094",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23094",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1240": {
+    "id": "openEuler-SA-2024-1240",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1240",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\r\n\r\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)",
+    "cves": [
+      {
+        "id": "CVE-2024-26595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1603": {
+    "id": "openEuler-SA-2024-1603",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1603",
+    "title": "An update for python-sqlparse is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "``sqlparse`` is a non-validating SQL parser module. It provides support for parsing, splitting and formatting SQL statements.\r\n\r\nSecurity Fix(es):\r\n\r\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\r\n\r\n(CVE-2024-4340)",
+    "cves": [
+      {
+        "id": "CVE-2024-4340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1281": {
+    "id": "openEuler-SA-2023-1281",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1281",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.(CVE-2023-2609)\r\n\r\nInteger Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.(CVE-2023-2610)",
+    "cves": [
+      {
+        "id": "CVE-2023-2610",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2610",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1446": {
+    "id": "openEuler-SA-2023-1446",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1446",
+    "title": "An update for doxygen is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Doxygen is the de facto standard tool for generating documentation from annotated C++ sources, but it also supports other popular programming languages such as C, Objective-C, C#, PHP, Java, Python, IDL (Corba, Microsoft, and UNO/OpenOffice flavors), Fortran, VHDL, Tcl, and to some extent D.\n\nSecurity Fix(es):\n\nCross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.(CVE-2020-23064)",
+    "cves": [
+      {
+        "id": "CVE-2020-23064",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23064",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1460": {
+    "id": "openEuler-SA-2023-1460",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1460",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38288)\r\n\r\nMultiple potential integer overflow in tiffcp.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38289)",
+    "cves": [
+      {
+        "id": "CVE-2023-38289",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38289",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1869": {
+    "id": "openEuler-SA-2023-1869",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1869",
+    "title": "An update for gdb is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.(CVE-2023-39129)\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.(CVE-2023-39130)",
+    "cves": [
+      {
+        "id": "CVE-2023-39130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1432": {
+    "id": "openEuler-SA-2023-1432",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1432",
+    "title": "An update for gnuplot is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Gnuplot is a portable command-line driven graphing utility for Linux, OS/2, MS Windows, OSX, VMS, and many other platforms. The source code is copyrighted but freely distributed (i.e., you don't have to pay for it). It was originally created to allow scientists and students to visualize mathematical functions and data interactively, but has grown to support many non-interactive uses such as web scripting. It is also used as a plotting engine by third-party applications like Octave. Gnuplot has been supported and under active development since 1986.\n\nSecurity Fix(es):\n\ngnuplot v5.5 was discovered to contain a buffer overflow via the function plotrequest().(CVE-2020-25969)",
+    "cves": [
+      {
+        "id": "CVE-2020-25969",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25969",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1522": {
+    "id": "openEuler-SA-2023-1522",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1522",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. QEMU has two operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including one or several processors and various peripherals. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\n\nSecurity Fix(es):\n\nA flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.(CVE-2023-3180)",
+    "cves": [
+      {
+        "id": "CVE-2023-3180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1199": {
+    "id": "openEuler-SA-2023-1199",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1199",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e(CVE-2023-0266)",
+    "cves": [
+      {
+        "id": "CVE-2023-0266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0266",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1072": {
+    "id": "openEuler-SA-2021-1072",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1072",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\r\nSecurity Fix(es):\n\r\nhw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.(CVE-2020-13754)\n\nIn QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.(CVE-2019-20808)\n\nA heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.(CVE-2020-17380)",
+    "cves": [
+      {
+        "id": "CVE-2020-17380",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17380",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1843": {
+    "id": "openEuler-SA-2022-1843",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1843",
+    "title": "An update for zlib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Zlib is a free, general-purpose, not covered by any patents, lossless data-compression library for use on virtually any computer hardware and operating system. The zlib data format is itself portable across platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434)",
+    "cves": [
+      {
+        "id": "CVE-2022-37434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1400": {
+    "id": "openEuler-SA-2021-1400",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1400",
+    "title": "An update for ansible is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.(CVE-2019-10156)",
+    "cves": [
+      {
+        "id": "CVE-2019-10156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10156",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1720": {
+    "id": "openEuler-SA-2023-1720",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1720",
+    "title": "An update for grub2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.(CVE-2023-4692)\r\n\r\nAn out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk.(CVE-2023-4693)",
+    "cves": [
+      {
+        "id": "CVE-2023-4693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4693",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1218": {
+    "id": "openEuler-SA-2023-1218",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1218",
+    "title": "An update for runc is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.(CVE-2023-28642)",
+    "cves": [
+      {
+        "id": "CVE-2023-28642",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1364": {
+    "id": "openEuler-SA-2023-1364",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1364",
+    "title": "An update for cpp-httplib is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.\r\n\r\n**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).(CVE-2023-26130)",
+    "cves": [
+      {
+        "id": "CVE-2023-26130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26130",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1815": {
+    "id": "openEuler-SA-2023-1815",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1815",
+    "title": "An update for openjdk-latest is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and  22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22025)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22081)",
+    "cves": [
+      {
+        "id": "CVE-2023-22081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1612": {
+    "id": "openEuler-SA-2023-1612",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1612",
+    "title": "An update for poppler is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\ Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\ the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.(CVE-2020-23804)\r\n\r\nIn Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.(CVE-2022-37050)\r\n\r\nAn issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.(CVE-2022-37051)\r\n\r\nA reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.(CVE-2022-37052)\r\n\r\nAn issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.(CVE-2022-38349)",
+    "cves": [
+      {
+        "id": "CVE-2022-38349",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38349",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1732": {
+    "id": "openEuler-SA-2023-1732",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1732",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.(CVE-2023-5366)",
+    "cves": [
+      {
+        "id": "CVE-2023-5366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5366",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1551": {
+    "id": "openEuler-SA-2022-1551",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1551",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "TIFF Library and Utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nNull source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.(CVE-2022-0562)\r\n\r\nNull source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.(CVE-2022-0561)",
+    "cves": [
+      {
+        "id": "CVE-2022-0561",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0561",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1718": {
+    "id": "openEuler-SA-2024-1718",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1718",
+    "title": "An update for mozjs78 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "SpiderMonkey JavaScript library\r\n\r\nSecurity Fix(es):\r\n\r\nIn the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34481)",
+    "cves": [
+      {
+        "id": "CVE-2022-34481",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34481",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1923": {
+    "id": "openEuler-SA-2022-1923",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1923",
+    "title": "An update for fribidi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A library to handle bidirectional scripts (for example Hebrew, Arabic), so that the display is done in the proper way; while the text data itself is always written in logical order and display in a different direction .\r\n\r\nSecurity Fix(es):\r\n\r\nA stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.(CVE-2022-25308)\r\n\r\nA heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.(CVE-2022-25309)\r\n\r\nA segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.(CVE-2022-25310)",
+    "cves": [
+      {
+        "id": "CVE-2022-25310",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25310",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1042": {
+    "id": "openEuler-SA-2024-1042",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1042",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918)",
+    "cves": [
+      {
+        "id": "CVE-2023-6918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1356": {
+    "id": "openEuler-SA-2023-1356",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1356",
+    "title": "An update for openssl is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)",
+    "cves": [
+      {
+        "id": "CVE-2023-2650",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1379": {
+    "id": "openEuler-SA-2024-1379",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1379",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.\r\n\r\nSecurity Fix(es):\r\n\r\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.(CVE-2023-52426)\r\n\r\nlibexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).(CVE-2024-28757)",
+    "cves": [
+      {
+        "id": "CVE-2024-28757",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28757",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1622": {
+    "id": "openEuler-SA-2022-1622",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1622",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\n\t\t\n\t\t\r\nSecurity Fix(es):\r\n\r\nApache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.(CVE-2021-41079)",
+    "cves": [
+      {
+        "id": "CVE-2021-41079",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41079",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1268": {
+    "id": "openEuler-SA-2023-1268",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1268",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.(CVE-2023-1855)\r\n\r\nA use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.(CVE-2023-1990)\r\n\r\nA use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.\r\n\r\nThe io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.\r\n\r\nWe recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.\r\n\r\n(CVE-2023-1872)\r\n\r\nA race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2006)\r\n\r\nThe Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.(CVE-2023-30772)",
+    "cves": [
+      {
+        "id": "CVE-2023-30772",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30772",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1153": {
+    "id": "openEuler-SA-2024-1153",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1153",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1689": {
+    "id": "openEuler-SA-2024-1689",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1689",
+    "title": "An update for libva is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Libva is an implementation for VA-API, which is an open-source library and API specification, provides access to graphics hardware acceleration capabilities for video processing. It consists of a main library and driver-specific acceleration backends for each supported hardware vendor.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled search path in some Libva software maintained by Intel(R) before version 2.20.0 may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2023-39929)",
+    "cves": [
+      {
+        "id": "CVE-2023-39929",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39929",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1592": {
+    "id": "openEuler-SA-2023-1592",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1592",
+    "title": "An update for binutils is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nAn illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.(CVE-2022-4285)\r\n\r\nGNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064)\r\n\r\nA potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.(CVE-2023-1972)",
+    "cves": [
+      {
+        "id": "CVE-2023-1972",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1663": {
+    "id": "openEuler-SA-2023-1663",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1663",
+    "title": "An update for skopeo is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)",
+    "cves": [
+      {
+        "id": "CVE-2023-24537",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2037": {
+    "id": "openEuler-SA-2022-2037",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2037",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.(CVE-2022-43680)",
+    "cves": [
+      {
+        "id": "CVE-2022-43680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1112": {
+    "id": "openEuler-SA-2023-1112",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1112",
+    "title": "An update for rubygem-globalid is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "URIs for your models makes it easy to pass references around.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22799)",
+    "cves": [
+      {
+        "id": "CVE-2023-22799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1382": {
+    "id": "openEuler-SA-2023-1382",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1382",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.(CVE-2023-3141)\r\n\r\nAn out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.(CVE-2023-3268)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.(CVE-2023-35829)",
+    "cves": [
+      {
+        "id": "CVE-2023-35829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35829",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1871": {
+    "id": "openEuler-SA-2024-1871",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1871",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.(CVE-2024-6409)",
+    "cves": [
+      {
+        "id": "CVE-2024-6409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1223": {
+    "id": "openEuler-SA-2023-1223",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1223",
+    "title": "An update for json-smart is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Json-smart is a performance focused, JSON processor lib.\r\n\r\nSecurity Fix(es):\r\n\r\n[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.(CVE-2023-1370)",
+    "cves": [
+      {
+        "id": "CVE-2023-1370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1846": {
+    "id": "openEuler-SA-2023-1846",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1846",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.(CVE-2023-46695)",
+    "cves": [
+      {
+        "id": "CVE-2023-46695",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46695",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1060": {
+    "id": "openEuler-SA-2023-1060",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1060",
+    "title": "An update for batik is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.(CVE-2022-41704)\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.(CVE-2022-42890)",
+    "cves": [
+      {
+        "id": "CVE-2022-42890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1561": {
+    "id": "openEuler-SA-2022-1561",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1561",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nMutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a \"begin TLS\" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka \"response injection.\"(CVE-2020-14954)",
+    "cves": [
+      {
+        "id": "CVE-2020-14954",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14954",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1294": {
+    "id": "openEuler-SA-2024-1294",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1294",
+    "title": "An update for aops-zeus is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A host and user manager service which is the foundation of aops.\r\n\r\nSecurity Fix(es):\r\n\r\nIn aops-zeus software versions 1.2.0~1.4.1, there is a vulnerability in the plugin management command of the zeus/conf/constant file. Through this vulnerability, an attacker can implant arbitrary commands to be executed on the remote host, which may cause the remote host system to crash, suffering serious consequences of security threats and losses.(CVE-2024-24899)",
+    "cves": [
+      {
+        "id": "CVE-2024-24899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1841": {
+    "id": "openEuler-SA-2022-1841",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1841",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\nProduct: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel.(CVE-2022-20368)",
+    "cves": [
+      {
+        "id": "CVE-2022-20368",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20368",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2132": {
+    "id": "openEuler-SA-2022-2132",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2132",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nkubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.(CVE-2021-25743)",
+    "cves": [
+      {
+        "id": "CVE-2021-25743",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25743",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1059": {
+    "id": "openEuler-SA-2024-1059",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1059",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1649": {
+    "id": "openEuler-SA-2024-1649",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1649",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path.  This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng.  The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\r\n\r\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.(CVE-2023-52616)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\r\n\r\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\r\n\r\n  WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n  CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n  ......\n  Call Trace:\n   <TASK>\n   ? __warn+0xa5/0x240\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? report_bug+0x1ba/0x1f0\n   ? handle_bug+0x40/0x80\n   ? exc_invalid_op+0x18/0x50\n   ? asm_exc_invalid_op+0x1b/0x20\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ? rcu_lockdep_current_cpu_online+0x65/0xb0\n   ? rcu_is_watching+0x23/0x50\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ___bpf_prog_run+0x513/0x3b70\n   __bpf_prog_run32+0x9d/0xd0\n   ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n   ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n   bpf_trampoline_6442580665+0x4d/0x1000\n   __x64_sys_getpgid+0x5/0x30\n   ? do_syscall_64+0x36/0xb0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   </TASK>(CVE-2023-52621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[   57.202521] =============================\n[   57.202522] WARNING: suspicious RCU usage\n[   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[   57.202525] -----------------------------\n[   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[   57.202527]\n               other info that might help us debug this:\r\n\r\n[   57.202528]\n               rcu_scheduler_active = 2, debug_locks = 1\n[   57.202529] no locks held by test5/3567.\n[   57.202530]\n               stack backtrace:\n[   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[   57.202536] Call Trace:\n[   57.202537]  <TASK>\n[   57.202540]  dump_stack_lvl+0x77/0xb0\n[   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0\n[   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202866]  write_cache_pages+0x265/0x450\n[   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202913]  do_writepages+0xd2/0x230\n[   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80\n[   57.202921]  filemap_fdatawrite_wbc+0x67/0x80\n[   57.202924]  filemap_write_and_wait_range+0xd9/0x170\n[   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202969]  __se_sys_close+0x46/0xd0\n[   57.202972]  do_syscall_64+0x68/0x100\n[   57.202975]  ? do_syscall_64+0x77/0x100\n[   57.202976]  ? do_syscall_64+0x77/0x100\n[   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[   57.202982] RIP: 0033:0x7fe2b12e4a94\n[   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[   57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: time-travel: fix time corruption\r\n\r\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\r\n\r\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.(CVE-2023-52633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n        echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n        echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428\n<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c\n<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428\nkworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227\nvendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532\nvendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428\nxxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][    C4] Mem abort info:\n[ 9436.261666][    C4]   ESR = 0x96000044\n[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][    C4]   SET = 0, FnV = 0\n[ 9436.261673][    C4]   EA = 0, S1PTW = 0\n[ 9436.261675][    C4] Data abort info:\n[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044\n[ 9436.261680][    C4]   CM = 0, WnR = 1\n[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)\n[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][    C4] sp : ffffffc010023dd0\n[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\r\n\r\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\r\n\r\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\r\n\r\n CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n  print_report+0xd3/0x620\n  ? kasan_complete_mode_report_info+0x7d/0x200\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  kasan_report+0xc2/0x100\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  __asan_load4+0x84/0xb0\n  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  j1939_sk_recv+0x20b/0x320 [can_j1939]\n  ? __kasan_check_write+0x18/0x20\n  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n  ? j1939_simple_recv+0x69/0x280 [can_j1939]\n  ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n  j1939_can_recv+0x43f/0x580 [can_j1939]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  ? raw_rcv+0x42/0x3c0 [can_raw]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  can_rcv_filter+0x11f/0x350 [can]\n  can_receive+0x12f/0x190 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  can_rcv+0xdd/0x130 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  __netif_receive_skb_one_core+0x13d/0x150\n  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n  ? __kasan_check_write+0x18/0x20\n  ? _raw_spin_lock_irq+0x8c/0xe0\n  __netif_receive_skb+0x23/0xb0\n  process_backlog+0x107/0x260\n  __napi_poll+0x69/0x310\n  net_rx_action+0x2a1/0x580\n  ? __pfx_net_rx_action+0x10/0x10\n  ? __pfx__raw_spin_lock+0x10/0x10\n  ? handle_irq_event+0x7d/0xa0\n  __do_softirq+0xf3/0x3f8\n  do_softirq+0x53/0x80\n  </IRQ>\n  <TASK>\n  __local_bh_enable_ip+0x6e/0x70\n  netif_rx+0x16b/0x180\n  can_send+0x32b/0x520 [can]\n  ? __pfx_can_send+0x10/0x10 [can]\n  ? __check_object_size+0x299/0x410\n  raw_sendmsg+0x572/0x6d0 [can_raw]\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  ? apparmor_socket_sendmsg+0x2f/0x40\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  sock_sendmsg+0xef/0x100\n  sock_write_iter+0x162/0x220\n  ? __pfx_sock_write_iter+0x10/0x10\n  ? __rtnl_unlock+0x47/0x80\n  ? security_file_permission+0x54/0x320\n  vfs_write+0x6ba/0x750\n  ? __pfx_vfs_write+0x10/0x10\n  ? __fget_light+0x1ca/0x1f0\n  ? __rcu_read_unlock+0x5b/0x280\n  ksys_write+0x143/0x170\n  ? __pfx_ksys_write+0x10/0x10\n  ? __kasan_check_read+0x15/0x20\n  ? fpregs_assert_state_consistent+0x62/0x70\n  __x64_sys_write+0x47/0x60\n  do_syscall_64+0x60/0x90\n  ? do_syscall_64+0x6d/0x90\n  ? irqentry_exit+0x3f/0x50\n  ? exc_page_fault+0x79/0xf0\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Allocated by task 348:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_alloc_info+0x1f/0x30\n  __kasan_kmalloc+0xb5/0xc0\n  __kmalloc_node_track_caller+0x67/0x160\n  j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Freed by task 349:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_free_info+0x2f/0x50\n  __kasan_slab_free+0x12e/0x1c0\n  __kmem_cache_free+0x1b9/0x380\n  kfree+0x7a/0x120\n  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2023-52637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: vsie: fix race during shadow creation\r\n\r\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash.  This is due to the\nfact that we add gmap->private == kvm after creation:\r\n\r\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n                               struct vsie_page *vsie_page)\n{\n[...]\n        gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n        if (IS_ERR(gmap))\n                return PTR_ERR(gmap);\n        gmap->private = vcpu->kvm;\r\n\r\nLet children inherit the private field of the parent.(CVE-2023-52639)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\r\n\r\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\r\n\r\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---(CVE-2023-52644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Guard stack limits against 32bit overflow\r\n\r\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\r\n\r\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904(CVE-2023-52676)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type.  Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there's no cast to\nany 64-bit type before multiplication.  Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.(CVE-2023-52690)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\r\n\r\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.(CVE-2023-52694)\r\n\r\nA race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: fix a memory corruption\r\n\r\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we'll write past the buffer.(CVE-2024-26610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet's remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page->mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow anonymous set with timeout flag\r\n\r\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Ensure visibility when inserting an element into tracing_map\r\n\r\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\r\n\r\n $ while true; do\n     echo hist:key=id.syscall:val=hitcount > \\\n       /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n     cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n     sleep 0.001\n   done\n $ stress-ng --sysbadaddr $(nproc)\r\n\r\nThe warning looks as follows:\r\n\r\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220]  hist_show+0x124/0x800\n[ 2911.195692]  seq_read_iter+0x1d4/0x4e8\n[ 2911.196193]  seq_read+0xe8/0x138\n[ 2911.196638]  vfs_read+0xc8/0x300\n[ 2911.197078]  ksys_read+0x70/0x108\n[ 2911.197534]  __arm64_sys_read+0x24/0x38\n[ 2911.198046]  invoke_syscall+0x78/0x108\n[ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157]  do_el0_svc+0x28/0x40\n[ 2911.199613]  el0_svc+0x40/0x178\n[ 2911.200048]  el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621]  el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\r\n\r\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\r\n\r\nThe check for the presence of an element with a given key in this\nfunction is:\r\n\r\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\r\n\r\nThe write of a new entry is:\r\n\r\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\r\n\r\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---(CVE-2024-26645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\r\n\r\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.(CVE-2024-26661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntunnels: fix out of bounds access when building IPv6 PMTU error\r\n\r\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\r\n\r\n  BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n  Read of size 4 at addr ffff88811d402c80 by task netperf/820\n  CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n  ...\n   kasan_report+0xd8/0x110\n   do_csum+0x220/0x240\n   csum_partial+0xc/0x20\n   skb_tunnel_check_pmtu+0xeb9/0x3280\n   vxlan_xmit_one+0x14c2/0x4080\n   vxlan_xmit+0xf61/0x5c00\n   dev_hard_start_xmit+0xfb/0x510\n   __dev_queue_xmit+0x7cd/0x32a0\n   br_dev_queue_push_xmit+0x39d/0x6a0\r\n\r\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.(CVE-2024-26665)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n  __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n  __alloc_pages_node include/linux/gfp.h:238 [inline]\n  alloc_pages_node include/linux/gfp.h:261 [inline]\n  __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n  __do_kmalloc_node mm/slub.c:3969 [inline]\n  __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n  kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n  __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n  __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n  netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n  dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n  ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n  ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n  tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n  tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n  receive_buf drivers/tty/tty_buffer.c:444 [inline]\n  flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: read sk->sk_family once in inet_recv_error()\r\n\r\ninet_recv_error() is called without holding the socket lock.\r\n\r\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.(CVE-2024-26679)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\r\n\r\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.(CVE-2024-26684)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential bug in end_buffer_async_write\r\n\r\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\r\n\r\nNilfs2 itself does not use end_buffer_async_write().  But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\r\n\r\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent.  However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device.  This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\r\n\r\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\r\n\r\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.(CVE-2024-26685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup.  If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix data corruption in dsync block recovery for small block sizes\r\n\r\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache.  In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\r\n\r\nFix these issues by correcting this byte offset calculation on the page.(CVE-2024-26697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\r\n\r\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.(CVE-2024-26702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Fix random data corruption from exception handler\r\n\r\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\r\n\r\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\r\n\r\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\r\n\r\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.(CVE-2024-26706)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\r\n\r\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\r\n\r\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\r\n\r\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n <IRQ>\n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\r\n\r\nThis issue is also found in older kernels (at least up to 5.10).(CVE-2024-26707)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/kasan: Fix addr error caused by page alignment\r\n\r\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\r\n\r\nAs a result, memory overwriting occurs.\r\n\r\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\r\n\r\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.(CVE-2024-26712)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\r\n\r\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64().  On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\r\n\r\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\r\n\r\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\r\n\r\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)(CVE-2024-26720)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't drop extent_map for free space inode on write error\r\n\r\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\r\n\r\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n <TASK>\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again.  However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping.  Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\r\n\r\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping.  This is\nnormal for normal files, but the free space cache inode is special.  We\nalways expect the extent map to be correct.  Thus the second time\nthrough we end up with a bogus extent map.\r\n\r\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\r\n\r\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce.  With this patch in place we no longer panic\nwith my error injection test.(CVE-2024-26726)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narp: Prevent overflow in arp_req_get().\r\n\r\nsyzkaller reported an overflown write in arp_req_get(). [0]\r\n\r\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\r\n\r\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\r\n\r\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags.  We initialise the field just after the memcpy(), so it's\nnot a problem.\r\n\r\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\r\n\r\nTo avoid the overflow, let's limit the max length of memcpy().\r\n\r\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\r\n\r\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>(CVE-2024-26733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\r\n\r\nMake an unregister in case of unsuccessful registration.(CVE-2024-26734)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix possible use-after-free and null-ptr-deref\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.(CVE-2024-26735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: use the backlog for mirred ingress\r\n\r\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\r\n\r\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\r\n\r\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.(CVE-2024-26740)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/qedr: Fix qedr_create_user_qp error flow\r\n\r\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\r\n\r\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--(CVE-2024-26743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Support specifying the srpt_service_guid parameter\r\n\r\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76(CVE-2024-26744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\r\n\r\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n      df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n      3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS:  00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0(CVE-2024-26754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm-crypt: don't modify the data when using authenticated encryption\r\n\r\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\r\n\r\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\r\n\r\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/(CVE-2024-26763)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\r\n\r\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\r\n\r\n    Unable to handle kernel NULL pointer dereference at virtual\n  address 0000000000000008\n    Call trace:\n        complete+0x54/0x100\n        hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n        __handle_irq_event_percpu+0x64/0x1e0\n        handle_irq_event+0x7c/0x1cc(CVE-2024-26776)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix double-free on socket dismantle\r\n\r\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\r\n\r\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\r\n\r\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   <IRQ>\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   </IRQ>\n   <TASK>\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   </TASK>\r\n\r\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\r\n\r\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\r\n\r\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\r\n\r\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---(CVE-2024-26782)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\r\n\r\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\r\n\r\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---(CVE-2024-26805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\r\n\r\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.(CVE-2024-26808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\r\n\r\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\r\n\r\nThis fix requires:\r\n\r\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\r\n\r\nwhich came after:\r\n\r\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").(CVE-2024-26809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\r\n\r\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix kmemleak of rdev->serial\r\n\r\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\r\n\r\nunreferenced object 0xffff88815a350000 (size 49152):\n  comm \"mdadm\", pid 789, jiffies 4294716910\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc f773277a):\n    [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n    [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n    [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n    [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n    [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n    [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n    [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n    [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n    [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n    [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n    [<0000000085086a11>] vfs_ioctl+0x22/0x60\n    [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n    [<00000000e54e675e>] do_syscall_64+0x71/0x150\n    [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74(CVE-2024-26900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\r\n\r\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\r\n\r\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n  [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G           OE      6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS:  00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <TASK>\n  ? show_regs+0x72/0x90\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? __warn+0x8d/0x160\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? report_bug+0x1bb/0x1d0\n  ? handle_bug+0x46/0x90\n  ? exc_invalid_op+0x19/0x80\n  ? asm_exc_invalid_op+0x1b/0x20\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n  ipoib_send+0x2ec/0x770 [ib_ipoib]\n  ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n  dev_hard_start_xmit+0x8e/0x1e0\n  ? validate_xmit_skb_list+0x4d/0x80\n  sch_direct_xmit+0x116/0x3a0\n  __dev_xmit_skb+0x1fd/0x580\n  __dev_queue_xmit+0x284/0x6b0\n  ? _raw_spin_unlock_irq+0xe/0x50\n  ? __flush_work.isra.0+0x20d/0x370\n  ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n  neigh_connected_output+0xcd/0x110\n  ip_finish_output2+0x179/0x480\n  ? __smp_call_single_queue+0x61/0xa0\n  __ip_finish_output+0xc3/0x190\n  ip_finish_output+0x2e/0xf0\n  ip_output+0x78/0x110\n  ? __pfx_ip_finish_output+0x10/0x10\n  ip_local_out+0x64/0x70\n  __ip_queue_xmit+0x18a/0x460\n  ip_queue_xmit+0x15/0x30\n  __tcp_transmit_skb+0x914/0x9c0\n  tcp_write_xmit+0x334/0x8d0\n  tcp_push_one+0x3c/0x60\n  tcp_sendmsg_locked+0x2e1/0xac0\n  tcp_sendmsg+0x2d/0x50\n  inet_sendmsg+0x43/0x90\n  sock_sendmsg+0x68/0x80\n  sock_write_iter+0x93/0x100\n  vfs_write+0x326/0x3c0\n  ksys_write+0xbd/0xf0\n  ? do_syscall_64+0x69/0x90\n  __x64_sys_write+0x19/0x30\n  do_syscall_\n---truncated---(CVE-2024-26907)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\r\n\r\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\r\n\r\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.(CVE-2024-27431)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\r\n\r\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.(CVE-2024-35845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)",
+    "cves": [
+      {
+        "id": "CVE-2024-35849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1006": {
+    "id": "openEuler-SA-2024-1006",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1006",
+    "title": "An update for rubygem-puma is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.(CVE-2021-41136)\r\n\r\nPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634)",
+    "cves": [
+      {
+        "id": "CVE-2022-23634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1940": {
+    "id": "openEuler-SA-2023-1940",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1940",
+    "title": "An update for fish is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "fish is a fully-equipped command line shell (like bash or zsh) that is smart and user-friendly. fish supports powerful features like syntax highlighting, autosuggestions, and tab completions that just work, with nothing to learn or configure.\r\n\r\nSecurity Fix(es):\r\n\r\nfish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \\UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49284)",
+    "cves": [
+      {
+        "id": "CVE-2023-49284",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49284",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1667": {
+    "id": "openEuler-SA-2022-1667",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1667",
+    "title": "An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.\n\nSecurity Fix(es):\n\nHawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker s input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().(CVE-2022-29167)",
+    "cves": [
+      {
+        "id": "CVE-2022-29167",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29167",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1465": {
+    "id": "openEuler-SA-2021-1465",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1465",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.(CVE-2021-33098)",
+    "cves": [
+      {
+        "id": "CVE-2021-33098",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33098",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1808": {
+    "id": "openEuler-SA-2022-1808",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1808",
+    "title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\ntrack_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.(CVE-2020-35964)\r\n\r\nlibavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868.(CVE-2021-38114)",
+    "cves": [
+      {
+        "id": "CVE-2021-38114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38114",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1449": {
+    "id": "openEuler-SA-2021-1449",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1449",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function(CVE-2021-42382)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function(CVE-2021-42381)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function(CVE-2021-42380)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function(CVE-2021-42385)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function(CVE-2021-42378)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function(CVE-2021-42379)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function(CVE-2021-42383)\r\n\r\nA use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function(CVE-2021-42384)",
+    "cves": [
+      {
+        "id": "CVE-2021-42384",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42384",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1162": {
+    "id": "openEuler-SA-2021-1162",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1162",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\ndecompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.(CVE-2021-28831)",
+    "cves": [
+      {
+        "id": "CVE-2021-28831",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1404": {
+    "id": "openEuler-SA-2021-1404",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1404",
+    "title": "An update for flatpak is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux.\r\n\r\nSecurity Fix(es):\r\n\r\nIn versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.(CVE-2021-41133)",
+    "cves": [
+      {
+        "id": "CVE-2021-41133",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41133",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1858": {
+    "id": "openEuler-SA-2022-1858",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1858",
+    "title": "An update for shapelib is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Shapefile C Library provides the ability to write simple C programs for reading, writing and updating (to a limited extent) ESRI Shapefiles, and the associated attribute file (.dbf). This package also contains various utility programs for using shapelib.\r\n\r\nSecurity Fix(es):\r\n\r\n** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2022-0699)",
+    "cves": [
+      {
+        "id": "CVE-2022-0699",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0699",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1238": {
+    "id": "openEuler-SA-2021-1238",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1238",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.(CVE-2021-26260)\r\n\r\nAn integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.(CVE-2021-23215)\r\n\r\nA heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.(CVE-2021-23169)",
+    "cves": [
+      {
+        "id": "CVE-2021-23169",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23169",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1042": {
+    "id": "openEuler-SA-2023-1042",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1042",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.(CVE-2022-4338)",
+    "cves": [
+      {
+        "id": "CVE-2022-4338",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4338",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1220": {
+    "id": "openEuler-SA-2021-1220",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1220",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-2161)\r\n\r\nVulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).(CVE-2021-2163)",
+    "cves": [
+      {
+        "id": "CVE-2021-2163",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2163",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1092": {
+    "id": "openEuler-SA-2021-1092",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1092",
+    "title": "An update for squid is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.(CVE-2020-14058)\r\n\r\nAn issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.(CVE-2020-15810)\r\n\r\nAn issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.(CVE-2020-15811)\r\n\r\nSquid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.(CVE-2020-24606)\r\n\r\nAn issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).(CVE-2020-11945)\r\n\r\nAn issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value.(CVE-2020-15049)",
+    "cves": [
+      {
+        "id": "CVE-2020-15049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1056": {
+    "id": "openEuler-SA-2021-1056",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1056",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\n\nWhen using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2020-7060)\r\n\r\nIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.(CVE-2020-7070)\r\n\r\nIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.(CVE-2020-7069)",
+    "cves": [
+      {
+        "id": "CVE-2020-7069",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7069",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1261": {
+    "id": "openEuler-SA-2021-1261",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1261",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.\r\n\r\nSecurity Fix(es):\r\n\r\nexpat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.(CVE-2013-0340)",
+    "cves": [
+      {
+        "id": "CVE-2013-0340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1785": {
+    "id": "openEuler-SA-2022-1785",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1785",
+    "title": "An update for evolution-data-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The evolution-data-server package provides a personal information management application that provides integrated mail, calendaring and address book functionality. The evolution-data-server package provides a single database for common, desktop-wide information, such as a user's address book or calendar events.\r\n\r\nSecurity Fix(es):\r\n\r\nevolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a \"begin TLS\" response, eds reads additional data and evaluates it in a TLS context, aka \"response injection.\"(CVE-2020-14928)",
+    "cves": [
+      {
+        "id": "CVE-2020-14928",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14928",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1394": {
+    "id": "openEuler-SA-2024-1394",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1394",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: intel-sdw-acpi: harden detection of controller\r\n\r\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\r\n\r\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.(CVE-2021-46926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: q6afe-clocks: fix reprobing of the driver\r\n\r\nQ6afe-clocks driver can get reprobed. For example if the APR services\nare restarted after the firmware crash. However currently Q6afe-clocks\ndriver will oops because hw.init will get cleared during first _probe\ncall. Rewrite the driver to fill the clock data at runtime rather than\nusing big static array of clocks.(CVE-2021-47037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\napparmor: avoid crash when parsed profile name is empty\r\n\r\nWhen processing a packed profile in unpack_profile() described like\r\n\r\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\r\n\r\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\r\n\r\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\r\n\r\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\r\n\r\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\r\n\r\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2023-52443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\r\n\r\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\r\n\r\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n  process_one_work+0x174/0x3c8\n  worker_thread+0x2d0/0x3e8\n  kthread+0x104/0x110\r\n\r\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().(CVE-2023-52454)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: imx: fix tx statemachine deadlock\r\n\r\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\r\n\r\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.(CVE-2023-52456)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52467)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\r\n\r\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\r\n\r\nkv_parse_power_table\n  |-> kv_dpm_init\n        |-> kv_dpm_sw_init\n\t      |-> kv_dpm_fini\r\n\r\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/lbr: Filter vsyscall addresses\r\n\r\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\r\n\r\n    __insn_get_emulate_prefix()\n    insn_get_emulate_prefix()\n    insn_get_prefixes()\n    insn_get_opcode()\n    decode_branch_type()\n    get_branch_type()\n    intel_pmu_lbr_filter()\n    intel_pmu_handle_irq()\n    perf_event_nmi_handler()\r\n\r\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\r\n\r\n    peek_nbyte_next(insn_byte_t, insn, i)\r\n\r\nWithin this macro, this dereference occurs:\r\n\r\n    (insn)->next_byte\r\n\r\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\r\n\r\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.(CVE-2023-52476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix uaf in smb20_oplock_break_ack\r\n\r\ndrop reference after use opinfo.(CVE-2023-52479)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\r\n\r\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\r\n\r\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\r\n\r\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\r\n\r\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.(CVE-2023-52484)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between tx work scheduling and socket close\r\n\r\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.(CVE-2024-26585)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\r\n\r\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\r\n\r\nThe following prog is accepted:\r\n\r\n  func#0 @0\n  0: R1=ctx() R10=fp0\n  0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()\n  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()\n  2: (b7) r8 = 1024                     ; R8_w=1024\n  3: (37) r8 /= 1                       ; R8_w=scalar()\n  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,\n  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n  5: (0f) r7 += r8\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n  var_off=(0x0; 0x400))\n  6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()\n  7: (95) exit\r\n\r\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\r\n\r\n  BUG: unable to handle page fault for address: ffffc90014c80038\n  [...]\n  Call Trace:\n   <TASK>\n   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n   __bpf_prog_run include/linux/filter.h:651 [inline]\n   bpf_prog_run include/linux/filter.h:658 [inline]\n   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".(CVE-2024-26589)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: i801: Fix block process call transactions\r\n\r\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\r\n\r\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.(CVE-2024-26593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\r\n\r\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\r\n\r\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n                                                 ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\r\n\r\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\r\n\r\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\r\n\r\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\r\n\r\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: signal epoll threads of self-work\r\n\r\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\r\n\r\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.(CVE-2024-26606)",
+    "cves": [
+      {
+        "id": "CVE-2024-26606",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1053": {
+    "id": "openEuler-SA-2023-1053",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1053",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel(CVE-2023-20928)\r\n\r\nA heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].”\r\n\r\nReference:\nhttps://securityonline.info/cve-2023-0210-flaw-in-linux-kernel-allows-unauthenticated-remote-dos-attacks/\nhttps://www.spinics.net/lists/stable-commits/msg282893.html(CVE-2023-0210)\r\n\r\nIn rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.(CVE-2023-23559)\r\n\r\nThere exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above(CVE-2022-4696)",
+    "cves": [
+      {
+        "id": "CVE-2022-4696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4696",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1520": {
+    "id": "openEuler-SA-2024-1520",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1520",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ncreate_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.(CVE-2024-25739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: sii902x: Fix probing race issue\r\n\r\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\r\n\r\n[   53.271356]  sii902x_get_edid+0x34/0x70 [sii902x]\n[   53.276066]  sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[   53.281381]  drm_bridge_get_edid+0x20/0x34 [drm]\n[   53.286305]  drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[   53.292955]  drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[   53.300510]  drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[   53.305958]  __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[   53.313611]  drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[   53.320039]  drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[   53.326401]  drm_client_register+0x5c/0xa0 [drm]\n[   53.331216]  drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[   53.336881]  tidss_probe+0x128/0x264 [tidss]\n[   53.341174]  platform_probe+0x68/0xc4\n[   53.344841]  really_probe+0x188/0x3c4\n[   53.348501]  __driver_probe_device+0x7c/0x16c\n[   53.352854]  driver_probe_device+0x3c/0x10c\n[   53.357033]  __device_attach_driver+0xbc/0x158\n[   53.361472]  bus_for_each_drv+0x88/0xe8\n[   53.365303]  __device_attach+0xa0/0x1b4\n[   53.369135]  device_initial_probe+0x14/0x20\n[   53.373314]  bus_probe_device+0xb0/0xb4\n[   53.377145]  deferred_probe_work_func+0xcc/0x124\n[   53.381757]  process_one_work+0x1f0/0x518\n[   53.385770]  worker_thread+0x1e8/0x3dc\n[   53.389519]  kthread+0x11c/0x120\n[   53.392750]  ret_from_fork+0x10/0x20\r\n\r\nThe issue here is as follows:\r\n\r\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n  DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n  platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n  deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n  called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n  However, the sii902x driver has not set up the i2c part yet, leading\n  to the crash.\r\n\r\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().(CVE-2024-26607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: make sure init the accept_queue's spinlocks once\r\n\r\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS:  00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n<IRQ>\n  _raw_spin_unlock (kernel/locking/spinlock.c:186)\n  inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n  inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n  tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n  tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n  __netif_receive_skb_one_core (net/core/dev.c:5529)\n  process_backlog (./include/linux/rcupdate.h:779)\n  __napi_poll (net/core/dev.c:6533)\n  net_rx_action (net/core/dev.c:6604)\n  __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n  do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n  __local_bh_enable_ip (kernel/softirq.c:381)\n  __dev_queue_xmit (net/core/dev.c:4374)\n  ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n  __ip_queue_xmit (net/ipv4/ip_output.c:535)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n  tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n  tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n  __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n  release_sock (net/core/sock.c:3536)\n  inet_wait_for_connect (net/ipv4/af_inet.c:609)\n  __inet_stream_connect (net/ipv4/af_inet.c:702)\n  inet_stream_connect (net/ipv4/af_inet.c:748)\n  __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n  __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n  do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n  RIP: 0033:0x7fa10ff05a3d\n  Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n  c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n  RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n  RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n  RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n  RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n  R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n</TASK>\r\n\r\nThe issue triggering process is analyzed as follows:\nThread A                                       Thread B\ntcp_v4_rcv\t//receive ack TCP packet       inet_shutdown\n  tcp_check_req                                  tcp_disconnect //disconnect sock\n  ...                                              tcp_set_state(sk, TCP_CLOSE)\n    inet_csk_complete_hashdance                ...\n      inet_csk_reqsk_queue_add         \n---truncated---(CVE-2024-26614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\r\n\r\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\r\n\r\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\r\n\r\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\r\n\r\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\r\n\r\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\r\n\r\nCall trace:\n[  654.559417] task:modprobe        state:D stack:    0 pid: 2321 ppid:  1091 flags:0x00004002\n[  654.568030] Call Trace:\n[  654.571221]  <TASK>\n[  654.573790]  __schedule+0x2d6/0x960\n[  654.577733]  schedule+0x69/0xf0\n[  654.581214]  schedule_timeout+0x87/0x140\n[  654.585463]  ? __bpf_trace_tick_stop+0x20/0x20\n[  654.590291]  msleep+0x2d/0x40\n[  654.593625]  napi_disable+0x2b/0x80\n[  654.597437]  netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[  654.603935]  rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[  654.611101]  ? do_wait_intr+0xb0/0xb0\n[  654.615753]  netvsc_remove+0x7c/0x120 [hv_netvsc]\n[  654.621675]  vmbus_remove+0x27/0x40 [hv_vmbus](CVE-2024-26698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Increase buffer size in afs_update_volume_status()\r\n\r\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()](CVE-2024-26736)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn't use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac->ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fsl-qdma: init irq after reg initialization\r\n\r\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\r\n\r\n  Call trace:\n   fsl_qdma_queue_handler+0xf8/0x3e8\n   __handle_irq_event_percpu+0x78/0x2b0\n   handle_irq_event_percpu+0x1c/0x68\n   handle_irq_event+0x44/0x78\n   handle_fasteoi_irq+0xc8/0x178\n   generic_handle_irq+0x24/0x38\n   __handle_domain_irq+0x90/0x100\n   gic_handle_irq+0x5c/0xb8\n   el1_irq+0xb8/0x180\n   _raw_spin_unlock_irqrestore+0x14/0x40\n   __setup_irq+0x4bc/0x798\n   request_threaded_irq+0xd8/0x190\n   devm_request_threaded_irq+0x74/0xe8\n   fsl_qdma_probe+0x4d4/0xca8\n   platform_drv_probe+0x50/0xa0\n   really_probe+0xe0/0x3f8\n   driver_probe_device+0x64/0x130\n   device_driver_attach+0x6c/0x78\n   __driver_attach+0xbc/0x158\n   bus_for_each_dev+0x5c/0x98\n   driver_attach+0x20/0x28\n   bus_add_driver+0x158/0x220\n   driver_register+0x60/0x110\n   __platform_driver_register+0x44/0x50\n   fsl_qdma_driver_init+0x18/0x20\n   do_one_initcall+0x48/0x258\n   kernel_init_freeable+0x1a4/0x23c\n   kernel_init+0x10/0xf8\n   ret_from_fork+0x10/0x18(CVE-2024-26788)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix stackmap overflow check on 32-bit arches\r\n\r\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\r\n\r\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.(CVE-2024-26883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\r\n\r\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\r\n\r\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.(CVE-2024-26885)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)",
+    "cves": [
+      {
+        "id": "CVE-2024-27437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1151": {
+    "id": "openEuler-SA-2024-1151",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1151",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)",
+    "cves": [
+      {
+        "id": "CVE-2024-20921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20921",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1392": {
+    "id": "openEuler-SA-2024-1392",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1392",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvbdev: Fix memory leak in dvb_media_device_free()\r\n\r\ndvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`\nbefore setting it to NULL, as documented in include/media/media-device.h:\n\"The media_entity instance itself must be freed explicitly by the driver\nif required.\"(CVE-2020-36777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: sprd: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in sprd_i2c_master_xfer() and sprd_i2c_remove().\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36780)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: cadence: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in functions cdns_i2c_master_xfer and cdns_reg_slave.\r\n\r\nHowever, pm_runtime_get_sync will increment pm usage counter\neven failed. Forgetting to putting operation will result in a\nreference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36784)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hso: fix null-ptr-deref during tty device unregistration\r\n\r\nMultiple ttys try to claim the same the minor number causing a double\nunregistration of the same device. The first unregistration succeeds\nbut the next one results in a null-ptr-deref.\r\n\r\nThe get_free_serial_index() function returns an available minor number\nbut doesn't assign it immediately. The assignment is done by the caller\nlater. But before this assignment, calls to get_free_serial_index()\nwould return the same minor number.\r\n\r\nFix this by modifying get_free_serial_index to assign the minor number\nimmediately after one is found to be and rename it to obtain_minor()\nto better reflect what it does. Similary, rename set_serial_by_index()\nto release_minor() and modify it to free up the minor number of the\ngiven hso_serial. Every obtain_minor() should have corresponding\nrelease_minor() call.(CVE-2021-46904)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFC: st21nfca: Fix memory leak in device probe and remove\r\n\r\n'phy->pending_skb' is alloced when device probe, but forgot to free\nin the error handling path and remove path, this cause memory leak\nas follows:\r\n\r\nunreferenced object 0xffff88800bc06800 (size 512):\n  comm \"8\", pid 11775, jiffies 4295159829 (age 9.032s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450\n    [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0\n    [<000000005fea522c>] __alloc_skb+0x124/0x380\n    [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2\r\n\r\nFix it by freeing 'pending_skb' in error and remove.(CVE-2021-46924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: intel-sdw-acpi: harden detection of controller\r\n\r\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\r\n\r\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.(CVE-2021-46926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Clear stale IIR value on instruction access rights trap\r\n\r\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region.  In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\r\n\r\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.(CVE-2021-46928)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: validate user data in compat ioctl\r\n\r\nWrong user data may cause warning in i2c_transfer(), ex: zero msgs.\nUserspace should not be able to trigger warnings, so this patch adds\nvalidation checks for user data in compact ioctl to prevent reported\nwarnings(CVE-2021-46934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix async_free_space accounting for empty parcels\r\n\r\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\r\n\r\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless.  These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\r\n\r\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes.(CVE-2021-46935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFS: fs_context: validate UDP retrans to prevent shift out-of-bounds\r\n\r\nFix shift out-of-bounds in xprt_calc_majortimeo(). This is caused\nby a garbage timeout (retrans) mount option being passed to nfs mount,\nin this case from syzkaller.\r\n\r\nIf the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift\nvalue for a 64-bit long integer, so 'retrans' cannot be >= 64.\nIf it is >= 64, fail the mount and return an error.(CVE-2021-46952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: prevent corruption in shrinking truncate\r\n\r\nI believe there are some issues introduced by commit 31651c607151\n(\"hfsplus: avoid deadlock on file truncation\")\r\n\r\nHFS+ has extent records which always contains 8 extents.  In case the\nfirst extent record in catalog file gets full, new ones are allocated from\nextents overflow file.\r\n\r\nIn case shrinking truncate happens to middle of an extent record which\nlocates in extents overflow file, the logic in hfsplus_file_truncate() was\nchanged so that call to hfs_brec_remove() is not guarded any more.\r\n\r\nRight action would be just freeing the extents that exceed the new size\ninside extent record by calling hfsplus_free_extents(), and then check if\nthe whole extent record should be removed.  However since the guard\n(blk_cnt > start) is now after the call to hfs_brec_remove(), this has\nunfortunate effect that the last matching extent record is removed\nunconditionally.\r\n\r\nTo reproduce this issue, create a file which has at least 10 extents, and\nthen perform shrinking truncate into middle of the last extent record, so\nthat the number of remaining extents is not under or divisible by 8.  This\ncauses the last extent record (8 extents) to be removed totally instead of\ntruncating into middle of it.  Thus this causes corruption, and lost data.\r\n\r\nFix for this is simply checking if the new truncated end is below the\nstart of this extent record, making it safe to remove the full extent\nrecord.  However call to hfs_brec_remove() can't be moved to it's previous\nplace since we're dropping ->tree_lock and it can cause a race condition\nand the cached info being invalidated possibly corrupting the node data.\r\n\r\nAnother issue is related to this one.  When entering into the block\n(blk_cnt > start) we are not holding the ->tree_lock.  We break out from\nthe loop not holding the lock, but hfs_find_exit() does unlock it.  Not\nsure if it's possible for someone else to take the lock under our feet,\nbut it can cause hard to debug errors and premature unlocking.  Even if\nthere's no real risk of it, the locking should still always be kept in\nbalance.  Thus taking the lock now just before the check.(CVE-2021-46989)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet/pep: refuse to enable an unbound pipe\r\n\r\nThis ioctl() implicitly assumed that the socket was already bound to\na valid local socket name, i.e. Phonet object. If the socket was not\nbound, two separate problems would occur:\r\n\r\n1) We'd send an pipe enablement request with an invalid source object.\n2) Later socket calls could BUG on the socket unexpectedly being\n   connected yet not bound to a valid object.(CVE-2021-47086)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/kvm: Teardown PV features on boot CPU as well\r\n\r\nVarious PV features (Async PF, PV EOI, steal time) work through memory\nshared with hypervisor and when we restore from hibernation we must\nproperly teardown all these features to make sure hypervisor doesn't\nwrite to stale locations after we jump to the previously hibernated kernel\n(which can try to place anything there). For secondary CPUs the job is\nalready done by kvm_cpu_down_prepare(), register syscore ops to do\nthe same for boot CPU.(CVE-2021-47112)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: abort in rename_exchange if we fail to insert the second ref\r\n\r\nError injection stress uncovered a problem where we'd leave a dangling\ninode ref if we failed during a rename_exchange.  This happens because\nwe insert the inode ref for one side of the rename, and then for the\nother side.  If this second inode ref insert fails we'll leave the first\none dangling and leave a corrupt file system behind.  Fix this by\naborting if we did the insert for the first inode ref.(CVE-2021-47113)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix data corruption by fallocate\r\n\r\nWhen fallocate punches holes out of inode size, if original isize is in\nthe middle of last cluster, then the part from isize to the end of the\ncluster will be zeroed with buffer write, at that time isize is not yet\nupdated to match the new size, if writeback is kicked in, it will invoke\nocfs2_writepage()->block_write_full_page() where the pages out of inode\nsize will be dropped.  That will cause file corruption.  Fix this by\nzero out eof blocks when extending the inode size.\r\n\r\nRunning the following command with qemu-image 4.2.1 can get a corrupted\ncoverted image file easily.\r\n\r\n    qemu-img convert -p -t none -T none -f qcow2 $qcow_image \\\n             -O qcow2 -o compat=1.1 $qcow_image.conv\r\n\r\nThe usage of fallocate in qemu is like this, it first punches holes out\nof inode size, then extend the inode size.\r\n\r\n    fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0\n    fallocate(11, 0, 2276196352, 65536) = 0\r\n\r\nv1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html\nv2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/(CVE-2021-47114)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: caif: fix memory leak in caif_device_notify\r\n\r\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error(CVE-2021-47122)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\napparmor: avoid crash when parsed profile name is empty\r\n\r\nWhen processing a packed profile in unpack_profile() described like\r\n\r\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\r\n\r\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\r\n\r\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\r\n\r\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\r\n\r\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\r\n\r\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2023-52443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\r\n\r\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\r\n\r\nkv_parse_power_table\n  |-> kv_dpm_init\n        |-> kv_dpm_sw_init\n\t      |-> kv_dpm_fini\r\n\r\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/lbr: Filter vsyscall addresses\r\n\r\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\r\n\r\n    __insn_get_emulate_prefix()\n    insn_get_emulate_prefix()\n    insn_get_prefixes()\n    insn_get_opcode()\n    decode_branch_type()\n    get_branch_type()\n    intel_pmu_lbr_filter()\n    intel_pmu_handle_irq()\n    perf_event_nmi_handler()\r\n\r\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\r\n\r\n    peek_nbyte_next(insn_byte_t, insn, i)\r\n\r\nWithin this macro, this dereference occurs:\r\n\r\n    (insn)->next_byte\r\n\r\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\r\n\r\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.(CVE-2023-52476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\r\n\r\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\r\n\r\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\r\n\r\nnfc_llcp_sock_get_sn() has a similar problem.\r\n\r\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\r\n\r\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\r\n\r\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\r\n\r\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().(CVE-2023-52509)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diNewExt\r\n\r\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n\r\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\r\n\r\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\r\n\r\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).(CVE-2023-52599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix uaf in jfs_evict_inode\r\n\r\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\r\n\r\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.(CVE-2023-52600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbAdjTree\r\n\r\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/(CVE-2023-52601)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix slab-out-of-bounds Read in dtSearch\r\n\r\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\r\n\r\nDave:\nSet return code to -EIO(CVE-2023-52602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUBSAN: array-index-out-of-bounds in dtSplitRoot\r\n\r\nSyzkaller reported the following issue:\r\n\r\noop0: detected capacity change from 0 to 32768\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n </TASK>\r\n\r\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52603)\r\n\r\nInteger Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.(CVE-2024-23307)\r\n\r\nA race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\r\n\r\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\r\n\r\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n                                                 ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\r\n\r\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\r\n\r\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\r\n\r\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\r\n\r\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: signal epoll threads of self-work\r\n\r\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\r\n\r\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.(CVE-2024-26606)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntomoyo: fix UAF write bug in tomoyo_write_control()\r\n\r\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held.  Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.(CVE-2024-26622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: call sock_orphan() at release time\r\n\r\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\r\n\r\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\r\n\r\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\r\n\r\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0xc4/0x620 mm/kasan/report.c:488\n  kasan_report+0xda/0x110 mm/kasan/report.c:601\n  list_empty include/linux/list.h:373 [inline]\n  waitqueue_active include/linux/wait.h:127 [inline]\n  sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n  sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n  skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n  skb_release_all net/core/skbuff.c:1092 [inline]\n  napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n  e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n  e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n  e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n  __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x956/0xe90 net/core/dev.c:6778\n  __do_softirq+0x21a/0x8de kernel/softirq.c:553\n  run_ksoftirqd kernel/softirq.c:921 [inline]\n  run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n  smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n  kthread+0x2c6/0x3a0 kernel/kthread.c:388\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\r\n\r\nAllocated by task 5167:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:314 [inline]\n  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3813 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n  alloc_inode_sb include/linux/fs.h:3019 [inline]\n  sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n  alloc_inode+0x5d/0x220 fs/inode.c:260\n  new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n  sock_alloc+0x40/0x270 net/socket.c:634\n  __sock_create+0xbc/0x800 net/socket.c:1535\n  sock_create net/socket.c:1622 [inline]\n  __sys_socket_create net/socket.c:1659 [inline]\n  __sys_socket+0x14c/0x260 net/socket.c:1706\n  __do_sys_socket net/socket.c:1720 [inline]\n  __se_sys_socket net/socket.c:1718 [inline]\n  __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFreed by task 0:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n  poison_slab_object mm/kasan/common.c:241 [inline]\n  __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2121 [inlin\n---truncated---(CVE-2024-26625)",
+    "cves": [
+      {
+        "id": "CVE-2024-26625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1912": {
+    "id": "openEuler-SA-2022-1912",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1912",
+    "title": "An update for yajl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "yajl is a small event-driven JSON parser written in ANSI C, and a small validating JSON generator.\r\n\r\nSecurity Fix(es):\r\n\r\nyajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.(CVE-2022-24795)",
+    "cves": [
+      {
+        "id": "CVE-2022-24795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1657": {
+    "id": "openEuler-SA-2022-1657",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1657",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\n\nSecurity Fix(es):\n\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.(CVE-2022-24883)\n\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds.(CVE-2022-24882)",
+    "cves": [
+      {
+        "id": "CVE-2022-24882",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24882",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1588": {
+    "id": "openEuler-SA-2022-1588",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1588",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global moz_debug_prefix /lib/debug %global moz_debug_dir /lib/debug/ %global uname_m %(uname -m) %global symbols_file_name -.en-US.-%(uname.crashreporter-symbols.zip %global symbols_file_path /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip %global _find_debuginfo_opts -p /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip -o debugcrashreporter.list %global crashreporter_pkg_name mozilla-crashreporter--debuginfo\r\n\r\nSecurity Fix(es):\r\n\r\nxmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235)\r\n\r\nxmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.(CVE-2022-25236)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.(CVE-2022-25315)",
+    "cves": [
+      {
+        "id": "CVE-2022-25315",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1602": {
+    "id": "openEuler-SA-2022-1602",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1602",
+    "title": "An update for three-eight-nine-ds-base is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.(CVE-2020-35518)",
+    "cves": [
+      {
+        "id": "CVE-2020-35518",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35518",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1778": {
+    "id": "openEuler-SA-2024-1778",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1778",
+    "title": "An update for rubygem-actionpack is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1026": {
+    "id": "openEuler-SA-2024-1026",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1026",
+    "title": "An update for mosquitto is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n(CVE-2023-3592)",
+    "cves": [
+      {
+        "id": "CVE-2023-3592",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3592",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1775": {
+    "id": "openEuler-SA-2024-1775",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1775",
+    "title": "An update for rubygem-actionview is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Simple, battle-tested conventions and helpers for building web pages.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Rails. rails-ujs may allow an attacker to perform Cross-Site Scripting (XSS), which could lead to stolen information, phishing attacks, and other types of attacks.(CVE-2023-23913)",
+    "cves": [
+      {
+        "id": "CVE-2023-23913",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23913",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1013": {
+    "id": "openEuler-SA-2024-1013",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1013",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.(CVE-2023-46137)",
+    "cves": [
+      {
+        "id": "CVE-2023-46137",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1764": {
+    "id": "openEuler-SA-2022-1764",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1764",
+    "title": "An update for lua is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.(CVE-2022-33099)",
+    "cves": [
+      {
+        "id": "CVE-2022-33099",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33099",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1662": {
+    "id": "openEuler-SA-2024-1662",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1662",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.(CVE-2024-32002)\r\n\r\nGit is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.(CVE-2024-32004)\r\n\r\nGit is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.(CVE-2024-32020)\r\n\r\nGit is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.(CVE-2024-32021)\r\n\r\nGit is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.(CVE-2024-32465)",
+    "cves": [
+      {
+        "id": "CVE-2024-32465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32465",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1817": {
+    "id": "openEuler-SA-2023-1817",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1817",
+    "title": "An update for GraphicsMagick is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.(CVE-2020-21679)",
+    "cves": [
+      {
+        "id": "CVE-2020-21679",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21679",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1768": {
+    "id": "openEuler-SA-2023-1768",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1768",
+    "title": "An update for python-eventlet is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it.\r\n\r\nSecurity Fix(es):\r\n\r\nA regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.(CVE-2023-5625)",
+    "cves": [
+      {
+        "id": "CVE-2023-5625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5625",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1607": {
+    "id": "openEuler-SA-2022-1607",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1607",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nNull source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.(CVE-2022-0908)\r\n\r\nUnchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2.(CVE-2022-0907)\r\n\r\nReachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.(CVE-2022-0865)\r\n\r\nDivide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.(CVE-2022-0909)\r\n\r\nOut-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.(CVE-2022-0924)",
+    "cves": [
+      {
+        "id": "CVE-2022-0924",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0924",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1543": {
+    "id": "openEuler-SA-2024-1543",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1543",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1652": {
+    "id": "openEuler-SA-2024-1652",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1652",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\r\n\r\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\r\n\r\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\r\n\r\nFix by checking the pavgroup pointer with lcu->lock held.(CVE-2022-48636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix hang during unmount when stopping a space reclaim worker\r\n\r\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\r\n\r\n  Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n  Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n  Sep 07 11:55:32 debian9 kernel:       Not tainted 6.0.0-rc2-btrfs-next-122 #1\n  Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  Sep 07 11:55:32 debian9 kernel: task:umount          state:D stack:    0 pid:49438 ppid: 25683 flags:0x00004000\n  Sep 07 11:55:32 debian9 kernel: Call Trace:\n  Sep 07 11:55:32 debian9 kernel:  <TASK>\n  Sep 07 11:55:32 debian9 kernel:  __schedule+0x3c8/0xec0\n  Sep 07 11:55:32 debian9 kernel:  ? rcu_read_lock_sched_held+0x12/0x70\n  Sep 07 11:55:32 debian9 kernel:  schedule+0x5d/0xf0\n  Sep 07 11:55:32 debian9 kernel:  schedule_timeout+0xf1/0x130\n  Sep 07 11:55:32 debian9 kernel:  ? lock_release+0x224/0x4a0\n  Sep 07 11:55:32 debian9 kernel:  ? lock_acquired+0x1a0/0x420\n  Sep 07 11:55:32 debian9 kernel:  ? trace_hardirqs_on+0x2c/0xd0\n  Sep 07 11:55:32 debian9 kernel:  __wait_for_common+0xac/0x200\n  Sep 07 11:55:32 debian9 kernel:  ? usleep_range_state+0xb0/0xb0\n  Sep 07 11:55:32 debian9 kernel:  __flush_work+0x26d/0x530\n  Sep 07 11:55:32 debian9 kernel:  ? flush_workqueue_prep_pwqs+0x140/0x140\n  Sep 07 11:55:32 debian9 kernel:  ? trace_clock_local+0xc/0x30\n  Sep 07 11:55:32 debian9 kernel:  __cancel_work_timer+0x11f/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  ? close_ctree+0x12b/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? __trace_bputs+0x10b/0x170\n  Sep 07 11:55:32 debian9 kernel:  close_ctree+0x152/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? evict_inodes+0x166/0x1c0\n  Sep 07 11:55:32 debian9 kernel:  generic_shutdown_super+0x71/0x120\n  Sep 07 11:55:32 debian9 kernel:  kill_anon_super+0x14/0x30\n  Sep 07 11:55:32 debian9 kernel:  btrfs_kill_super+0x12/0x20 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  deactivate_locked_super+0x2e/0xa0\n  Sep 07 11:55:32 debian9 kernel:  cleanup_mnt+0x100/0x160\n  Sep 07 11:55:32 debian9 kernel:  task_work_run+0x59/0xa0\n  Sep 07 11:55:32 debian9 kernel:  exit_to_user_mode_prepare+0x1a6/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  syscall_exit_to_user_mode+0x16/0x40\n  Sep 07 11:55:32 debian9 kernel:  do_syscall_64+0x48/0x90\n  Sep 07 11:55:32 debian9 kernel:  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n  Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n  Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n  Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel:  </TASK>\r\n\r\nWhat happens is the following:\r\n\r\n1) The cleaner kthread tries to start a transaction to delete an unused\n   block group, but the metadata reservation can not be satisfied right\n   away, so a reservation ticket is created and it starts the async\n   metadata reclaim task (fs_info->async_reclaim_work);\r\n\r\n2) Writeback for all the filler inodes with an i_size of 2K starts\n   (generic/562 creates a lot of 2K files with the goal of filling\n   metadata space). We try to create an inline extent for them, but we\n   fail when trying to insert the inline extent with -ENOSPC (at\n   cow_file_range_inline()) - since this is not critical, we fallback\n   to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---(CVE-2022-48664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\r\n\r\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\r\n\r\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-26825)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\r\n\r\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\r\n\r\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\r\n\r\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\r\n\r\n  18:26:22 executing program 1:\n  r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n  ...\n  connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\r\n\r\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\r\n\r\nSo, the scenario would be:\r\n\r\n  1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n      rds_tcp_listen_init().\n  2. syz-executor connect()s to it and creates a reqsk.\n  3. syz-executor exit()s immediately.\n  4. netns is dismantled.  [0]\n  5. reqsk timer is fired, and UAF happens while freeing reqsk.  [1]\n  6. listener is freed after RCU grace period.  [2]\r\n\r\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\r\n\r\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\r\n\r\nLet's apply the same fix for the global ehash.\r\n\r\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n     sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n     inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n     __sock_create (net/socket.c:1572)\n     rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n     rds_tcp_init_net (net/rds/tcp.c:577)\n     ops_init (net/core/net_namespace.c:137)\n     setup_net (net/core/net_namespace.c:340)\n     copy_net_ns (net/core/net_namespace.c:497)\n     create_new_namespaces (kernel/nsproxy.c:110)\n     unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n     ksys_unshare (kernel/fork.c:3429)\n     __x64_sys_unshare (kernel/fork.c:3496)\n     do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\r\n\r\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n </IRQ>\r\n\r\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---(CVE-2024-26865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\r\n\r\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: inet_defrag: prevent sk release while still in use\r\n\r\nip_local_out() and other functions can pass skb->sk as function argument.\r\n\r\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\r\n\r\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\r\n\r\nEric Dumazet made an initial analysis of this bug.  Quoting Eric:\n  Calling ip_defrag() in output path is also implying skb_orphan(),\n  which is buggy because output path relies on sk not disappearing.\r\n\r\n  A relevant old patch about the issue was :\n  8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\r\n\r\n  [..]\r\n\r\n  net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n  inet socket, not an arbitrary one.\r\n\r\n  If we orphan the packet in ipvlan, then downstream things like FQ\n  packet scheduler will not work properly.\r\n\r\n  We need to change ip_defrag() to only use skb_orphan() when really\n  needed, ie whenever frag_list is going to be used.\r\n\r\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\r\n\r\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\r\n\r\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\r\n\r\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\r\n\r\nIn the former case, things work as before, skb is orphaned.  This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\r\n\r\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix garbage collector racing against connect()\r\n\r\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\r\n\r\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\r\n\r\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\r\n\r\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\r\n\r\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\r\n\r\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\r\n\r\n\t\t\tclose(V)\r\n\r\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\r\n\r\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\r\n\r\n\t\t\t\t\t\t// gc_candidates={L, V}\r\n\r\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\r\n\r\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\r\n\r\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\r\n\r\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.(CVE-2024-26923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: check offset alignment in binder_get_object()\r\n\r\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\r\n\r\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\r\n\r\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.(CVE-2024-26926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\r\n\r\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\r\n\r\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\r\n\r\nThe KASAN report triggered by POC is shown below:\r\n\r\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  <TASK>\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  </TASK>\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---(CVE-2024-27398)",
+    "cves": [
+      {
+        "id": "CVE-2024-26825",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-27398",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1965": {
+    "id": "openEuler-SA-2022-1965",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1965",
+    "title": "An update for dpdk is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "DPDK core includes kernel modules, core libraries and tools.testpmd application allows to test fast packet processing environments on arm64 platforms. For instance, it can be used to check that environment can support fast path applications such as 6WINDGate, pktgen, rumptcpip, etc. More libraries are available as extensions in other packages.\r\n\r\nSecurity Fix(es):\r\n\r\nNVIDIA’s distribution of the Data Plane Development Kit (MLNX_DPDK) contains a vulnerability in the network stack, where error recovery is not handled properly, which can allow a remote attacker to cause denial of service and some impact to data integrity and confidentiality.(CVE-2022-28199)",
+    "cves": [
+      {
+        "id": "CVE-2022-28199",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28199",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1146": {
+    "id": "openEuler-SA-2024-1146",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1146",
+    "title": "An update for rubygem-actionpack is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22792)\r\n\r\nA regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22795)",
+    "cves": [
+      {
+        "id": "CVE-2023-22795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1597": {
+    "id": "openEuler-SA-2024-1597",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1597",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.(CVE-2024-0229)\r\n\r\nA flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.(CVE-2024-0409)",
+    "cves": [
+      {
+        "id": "CVE-2024-0409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1014": {
+    "id": "openEuler-SA-2024-1014",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1014",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.(CVE-2023-46137)",
+    "cves": [
+      {
+        "id": "CVE-2023-46137",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1031": {
+    "id": "openEuler-SA-2023-1031",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1031",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment.Jetty is available on all Java supported platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.(CVE-2022-2048)\r\n\r\nIn Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.(CVE-2022-2047)",
+    "cves": [
+      {
+        "id": "CVE-2022-2047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1673": {
+    "id": "openEuler-SA-2024-1673",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1673",
+    "title": "An update for python-idna is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "A library to support the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891 http://tools.ietf.org/html/rfc5891. This version of the protocol is often referred to as “IDNA2008” and can produce different results from the earlier standard from 2003.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.(CVE-2024-3651)",
+    "cves": [
+      {
+        "id": "CVE-2024-3651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1680": {
+    "id": "openEuler-SA-2024-1680",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1680",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume\r\n\r\nIn current code, when a PCI error state pci_channel_io_normal is detectd,\nit will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI\ndriver will continue the execution of PCI resume callback report_resume by\npci_walk_bridge, and the callback will go into amdgpu_pci_resume\nfinally, where write lock is releasd unconditionally without acquiring\nsuch lock first. In this case, a deadlock will happen when other threads\nstart to acquire the read lock.\r\n\r\nTo fix this, add a member in amdgpu_device strucutre to cache\npci_channel_state, and only continue the execution in amdgpu_pci_resume\nwhen it's pci_channel_io_frozen.(CVE-2021-47421)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nptp: Fix possible memory leak in ptp_clock_register()\r\n\r\nI got memory leak as follows when doing fault injection test:\r\n\r\nunreferenced object 0xffff88800906c618 (size 8):\n  comm \"i2c-idt82p33931\", pid 4421, jiffies 4294948083 (age 13.188s)\n  hex dump (first 8 bytes):\n    70 74 70 30 00 00 00 00                          ptp0....\n  backtrace:\n    [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0\n    [<0000000079f6e2ff>] kvasprintf+0xb5/0x150\n    [<0000000026aae54f>] kvasprintf_const+0x60/0x190\n    [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150\n    [<000000004e35abdd>] dev_set_name+0xc0/0x100\n    [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]\n    [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]\r\n\r\nWhen posix_clock_register() returns an error, the name allocated\nin dev_set_name() will be leaked, the put_device() should be used\nto give up the device reference, then the name will be freed in\nkobject_cleanup() and other memory will be freed in ptp_clock_release().(CVE-2021-47455)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: ebtables: fix memory leak when blob is malformed\r\n\r\nThe bug fix was incomplete, it \"replaced\" crash with a memory leak.\nThe old code had an assignment to \"ret\" embedded into the conditional,\nrestore this.(CVE-2022-48641)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: single: fix potential NULL dereference\r\n\r\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2022-48708)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\r\n\r\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.(CVE-2023-52650)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: drop any code related to SCM_RIGHTS\r\n\r\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.(CVE-2023-52656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: eliminate double free in error handling logic\r\n\r\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\r\n\r\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\r\n\r\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.(CVE-2023-52664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: LPIT: Avoid u32 multiplication overflow\r\n\r\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\r\n\r\nChange multiplication to mul_u32_u32().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52683)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncalipso: fix memory leak in netlbl_calipso_add_pass()\r\n\r\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n  comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n  hex dump (first 32 bytes):\n    00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<...>] kmalloc include/linux/slab.h:552 [inline]\n    [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n    [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n    [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n    [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n    [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n    [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n    [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n    [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n    [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n    [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n    [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n    [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n    [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n    [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n    [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n    [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n    [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\r\n\r\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\r\n\r\n[PM: merged via the LSM tree at Jakub Kicinski request](CVE-2023-52698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\r\n\r\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.(CVE-2023-52809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\r\n\r\nWe found a hungtask bug in test_aead_vec_cfg as follows:\r\n\r\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\r\n\r\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\r\n\r\nThe problem comes as following:\n(padata_do_parallel)                 |\n    rcu_read_lock_bh();              |\n    err = -EINVAL;                   |   (padata_replace)\n                                     |     pinst->flags |= PADATA_RESET;\n    err = -EBUSY                     |\n    if (pinst->flags & PADATA_RESET) |\n        rcu_read_unlock_bh()         |\n        return err\r\n\r\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\r\n\r\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.(CVE-2023-52813)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\r\n\r\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\r\n\r\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636]  <TASK>\n[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002]  full_proxy_read+0x5c/0x80\n[4005007.703011]  vfs_read+0x9f/0x1a0\n[4005007.703019]  ksys_read+0x67/0xe0\n[4005007.703023]  __x64_sys_read+0x19/0x20\n[4005007.703028]  do_syscall_64+0x5c/0xc0\n[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052]  ? irqentry_exit+0x19/0x30\n[4005007.703057]  ? exc_page_fault+0x89/0x160\n[4005007.703062]  ? asm_exc_page_fault+0x8/0x30\n[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105]  </TASK>\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---(CVE-2023-52817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/core: Bail out early if the request AUX area is out of bound\r\n\r\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)\r\n\r\nand it reveals a WARNING with __alloc_pages():\r\n\r\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\r\n\r\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\r\n\r\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)(CVE-2023-52835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnbd: fix uaf in nbd_open\r\n\r\nCommit 4af5f2e03013 (\"nbd: use blk_mq_alloc_disk and\nblk_cleanup_disk\") cleans up disk by blk_cleanup_disk() and it won't set\ndisk->private_data as NULL as before. UAF may be triggered in nbd_open()\nif someone tries to open nbd device right after nbd_put() since nbd has\nbeen free in nbd_dev_remove().\r\n\r\nFix this by implementing ->free_disk and free private data in it.(CVE-2023-52837)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\r\n\r\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.(CVE-2023-52840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: vidtv: psi: Add check for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.(CVE-2023-52844)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: bttv: fix use after free error due to btv->timeout timer\r\n\r\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\r\n\r\nThis bug is found by static analysis, it may be false positive.\r\n\r\nFix it by adding del_timer_sync invoking to the remove function.\r\n\r\ncpu0                cpu1\n                  bttv_probe\n                    ->timer_setup\n                      ->bttv_set_dma\n                        ->mod_timer;\nbttv_remove\n  ->kfree(btv);\n                  ->bttv_irq_timeout\n                    ->USE btv(CVE-2023-52847)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npadata: Fix refcnt handling in padata_free_shell()\r\n\r\nIn a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead\nto system UAF (Use-After-Free) issues. Due to the lengthy analysis of\nthe pcrypt_aead01 function call, I'll describe the problem scenario\nusing a simplified model:\r\n\r\nSuppose there's a user of padata named `user_function` that adheres to\nthe padata requirement of calling `padata_free_shell` after `serial()`\nhas been invoked, as demonstrated in the following code:\r\n\r\n```c\nstruct request {\n    struct padata_priv padata;\n    struct completion *done;\n};\r\n\r\nvoid parallel(struct padata_priv *padata) {\n    do_something();\n}\r\n\r\nvoid serial(struct padata_priv *padata) {\n    struct request *request = container_of(padata,\n    \t\t\t\tstruct request,\n\t\t\t\tpadata);\n    complete(request->done);\n}\r\n\r\nvoid user_function() {\n    DECLARE_COMPLETION(done)\n    padata->parallel = parallel;\n    padata->serial = serial;\n    padata_do_parallel();\n    wait_for_completion(&done);\n    padata_free_shell();\n}\n```\r\n\r\nIn the corresponding padata.c file, there's the following code:\r\n\r\n```c\nstatic void padata_serial_worker(struct work_struct *serial_work) {\n    ...\n    cnt = 0;\r\n\r\n    while (!list_empty(&local_list)) {\n        ...\n        padata->serial(padata);\n        cnt++;\n    }\r\n\r\n    local_bh_enable();\r\n\r\n    if (refcount_sub_and_test(cnt, &pd->refcnt))\n        padata_free_pd(pd);\n}\n```\r\n\r\nBecause of the high system load and the accumulation of unexecuted\nsoftirq at this moment, `local_bh_enable()` in padata takes longer\nto execute than usual. Subsequently, when accessing `pd->refcnt`,\n`pd` has already been released by `padata_free_shell()`, resulting\nin a UAF issue with `pd->refcnt`.\r\n\r\nThe fix is straightforward: add `refcount_dec_and_test` before calling\n`padata_free_pd` in `padata_free_shell`.(CVE-2023-52854)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process\r\n\r\nWhen tearing down a 'hisi_hns3' PMU, we mistakenly run the CPU hotplug\ncallbacks after the device has been unregistered, leading to fireworks\nwhen we try to execute empty function callbacks within the driver:\r\n\r\n  | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n  | CPU: 0 PID: 15 Comm: cpuhp/0 Tainted: G        W  O      5.12.0-rc4+ #1\n  | Hardware name:  , BIOS KpxxxFPGA 1P B600 V143 04/22/2021\n  | pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n  | pc : perf_pmu_migrate_context+0x98/0x38c\n  | lr : perf_pmu_migrate_context+0x94/0x38c\n  |\n  | Call trace:\n  |  perf_pmu_migrate_context+0x98/0x38c\n  |  hisi_hns3_pmu_offline_cpu+0x104/0x12c [hisi_hns3_pmu]\r\n\r\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been unregistered.\r\n\r\n[will: Rewrote commit message](CVE-2023-52860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwmon: (axi-fan-control) Fix possible NULL pointer dereference\r\n\r\naxi_fan_control_irq_handler(), dependent on the private\naxi_fan_control_data structure, might be called before the hwmon\ndevice is registered. That will cause an \"Unable to handle kernel\nNULL pointer dereference\" error.(CVE-2023-52863)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: possible buffer overflow\r\n\r\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.(CVE-2023-52867)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/platform: Add check for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.(CVE-2023-52869)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52876)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Have trace_event_file have ref counters\r\n\r\nThe following can crash the kernel:\r\n\r\n # cd /sys/kernel/tracing\n # echo 'p:sched schedule' > kprobe_events\n # exec 5>>events/kprobes/sched/enable\n # > kprobe_events\n # exec 5>&-\r\n\r\nThe above commands:\r\n\r\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn't matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\r\n\r\nThe above causes a crash!\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\r\n\r\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\r\n\r\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\r\n\r\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there's still a reference to the event \"file\" descriptor.(CVE-2023-52879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/fsl-mc: Block calling interrupt handler without trigger\r\n\r\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1.  The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger.  The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\r\n\r\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.(CVE-2024-26814)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix garbage collector racing against connect()\r\n\r\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\r\n\r\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\r\n\r\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\r\n\r\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\r\n\r\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\r\n\r\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\r\n\r\n\t\t\tclose(V)\r\n\r\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\r\n\r\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\r\n\r\n\t\t\t\t\t\t// gc_candidates={L, V}\r\n\r\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\r\n\r\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\r\n\r\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\r\n\r\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.(CVE-2024-26923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwireguard: netlink: access device through ctx instead of peer\r\n\r\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.(CVE-2024-26950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: fix UAF in direct writes\r\n\r\nIn production we have been hitting the following warning consistently\r\n\r\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\r\n\r\nThis is because we're completing the nfs_direct_request twice in a row.\r\n\r\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\r\n\r\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\r\n\r\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\r\n\r\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\r\n\r\nnfs_commit_begin();\nnfs_commit_end();\r\n\r\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\r\n\r\nFix this by using the same pattern for the commit requests.\r\n\r\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.(CVE-2024-26958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\r\n\r\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\r\n\r\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\r\n\r\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\r\n\r\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2024-26961)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\r\n\r\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n  comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n  backtrace:\n   kmemdup+0x32/0x70\n   __fscrypt_encrypt_symlink+0xed/0x1c0\n   ubifs_symlink+0x210/0x300 [ubifs]\n   vfs_symlink+0x216/0x360\n   do_symlinkat+0x11a/0x190\n   do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n    because ubifs_evict_inode() will do same processes for good\n    symlink inode and bad symlink inode, for inode->i_nlink checking\n    is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.(CVE-2024-26972)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\r\n\r\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\r\n\r\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\r\n\r\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\r\n\r\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\r\n\r\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\r\n\r\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\r\n\r\n        __kvm_vcpu_wake_up(vcpu);\r\n\r\n        mmput(mm);\r\n\r\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\r\n\r\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\r\n\r\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---(CVE-2024-26976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSquashfs: check the inode number is not the invalid value of zero\r\n\r\nSyskiller has produced an out of bounds access in fill_meta_index().\r\n\r\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\r\n\r\nThe reason this causes the out of bounds access is due to following\nsequence of events:\r\n\r\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\r\n\r\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn't been, an out of bounds access is performed.\r\n\r\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\r\n\r\n[phillip@squashfs.org.uk: whitespace fix]\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk(CVE-2024-26982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\r\n\r\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path.  If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called).  As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\r\n\r\nFix the leak by adding an explicit kobject_put() call when kn is NULL.(CVE-2024-26993)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: mxs-auart: add spinlock around changing cts state\r\n\r\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\r\n\r\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)(CVE-2024-27000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: nv04: Fix out of bounds access\r\n\r\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\r\n\r\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\r\n\r\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10(CVE-2024-27045)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\r\n\r\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\r\n\r\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).(CVE-2024-27059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: usbtv: Remove useless locks in usbtv_video_free()\r\n\r\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\r\n\r\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\r\n\r\n\n[hverkuil: fix minor spelling mistake in log message](CVE-2024-27072)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ttpci: fix two memleaks in budget_av_attach\r\n\r\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.(CVE-2024-27073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: avoid stack overflow warnings with clang\r\n\r\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\r\n\r\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\r\n\r\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.(CVE-2024-27075)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: inode: Only d_invalidate() is needed\r\n\r\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\r\n\r\n  WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\r\n\r\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\r\n\r\n---(CVE-2024-27389)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Fixed overflow check in mi_enum_attr()(CVE-2024-27407)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Fix data-races around sysctl_net_busy_read\r\n\r\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.(CVE-2024-27419)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27426)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27427)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\r\n\r\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\r\n\r\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated.  I.e. the\nregion structure itself would be fine, but region->pages could be freed.\r\n\r\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.(CVE-2024-35791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.(CVE-2024-35801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm snapshot: fix lockup in dm_exception_table_exit\r\n\r\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.(CVE-2024-35805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\r\n\r\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.(CVE-2024-35806)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nLoongArch: Define the __io_aw() hook as mmiowb()\r\n\r\nCommit fb24ea52f78e0d595852e (\"drivers: Remove explicit invocations of\nmmiowb()\") remove all mmiowb() in drivers, but it says:\r\n\r\n\"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with\nspin_unlock(). However, pairing each mmiowb() removal in this patch with\nthe corresponding call to spin_unlock() is not at all trivial, so there\nis a small chance that this change may regress any drivers incorrectly\nrelying on mmiowb() to order MMIO writes between CPUs using lock-free\nsynchronisation.\"\r\n\r\nThe mmio in radeon_ring_commit() is protected by a mutex rather than a\nspinlock, but in the mutex fastpath it behaves similar to spinlock. We\ncan add mmiowb() calls in the radeon driver but the maintainer says he\ndoesn't like such a workaround, and radeon is not the only example of\nmutex protected mmio.\r\n\r\nSo we should extend the mmiowb tracking system from spinlock to mutex,\nand maybe other locking primitives. This is not easy and error prone, so\nwe solve it in the architectural code, by simply defining the __io_aw()\nhook as mmiowb(). And we no longer need to override queued_spin_unlock()\nso use the generic definition.\r\n\r\nWithout this, we get such an error when run 'glxgears' on weak ordering\narchitectures such as LoongArch:\r\n\r\nradeon 0000:04:00.0: ring 0 stalled for more than 10324msec\nradeon 0000:04:00.0: ring 3 stalled for more than 10240msec\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)(CVE-2024-35818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: fix a double-free in arfs_create_groups\r\n\r\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.(CVE-2024-35835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix reserve_cblocks counting error when out of space\r\n\r\nWhen a file only needs one direct_node, performing the following\noperations will cause the file to be unrepairable:\r\n\r\nunisoc # ./f2fs_io compress test.apk\nunisoc #df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.2M 100% /data\r\n\r\nunisoc # ./f2fs_io release_cblocks test.apk\n924\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 4.8M 100% /data\r\n\r\nunisoc # dd if=/dev/random of=file4 bs=1M count=3\n3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\r\n\r\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\r\n\r\nadb reboot\nunisoc # df -h  | grep dm-48\n/dev/block/dm-48             112G 112G   11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n0\r\n\r\nThis is because the file has only one direct_node. After returning\nto -ENOSPC, reserved_blocks += ret will not be executed. As a result,\nthe reserved_blocks at this time is still 0, which is not the real\nnumber of reserved blocks. Therefore, fsck cannot be set to repair\nthe file.\r\n\r\nAfter this patch, the fsck flag will be set to fix this problem.\r\n\r\nunisoc # df -h | grep dm-48\n/dev/block/dm-48             112G 112G  1.8M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\r\n\r\nadb reboot then fsck will be executed\nunisoc # df -h  | grep dm-48\n/dev/block/dm-48             112G 112G   11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n924(CVE-2024-35844)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\r\n\r\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.(CVE-2024-35845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\neeprom: at24: fix memory corruption race condition\r\n\r\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\r\n\r\nMove the failure point before registering the nvmem device.(CVE-2024-35848)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\r\n\r\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.(CVE-2024-35898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbmon: prevent division by zero in fb_videomode_from_videomode()\r\n\r\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\r\n\r\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\r\n\r\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.(CVE-2024-35930)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\r\n\r\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\r\n\r\n- at first the search key is set up to look for a chunk tree item, with\n  offset -1, this is an inexact search and the key->offset will contain\n  the correct offset upon a successful search, a valid chunk tree item\n  cannot have an offset -1\r\n\r\n- after first successful search, the found_key corresponds to a chunk\n  item, the offset is decremented by 1 before the next loop, it's\n  impossible to find a chunk item there due to alignment and size\n  constraints(CVE-2024-35936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/zone: Add a null pointer check to the psz_kmsg_read\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2024-35940)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\r\n\r\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\r\n\r\nMake sure to validate setsockopt() @optlen parameter.\r\n\r\n[1]\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\r\n\r\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n </TASK>\r\n\r\nAllocated by task 7549:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3966 [inline]\n  __kmalloc+0x233/0x4a0 mm/slub.c:3979\n  kmalloc include/linux/slab.h:632 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\r\n\r\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n  set_page_owner include/linux/page_owner.h:31 [inline]\n  post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n  prep_new_page mm/page_alloc.c:\n---truncated---(CVE-2024-35976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\r\n\r\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\r\n\r\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\r\n\r\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\r\n\r\nDelete this unnecessary flag.(CVE-2024-35997)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\r\n\r\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\r\n\r\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\r\n\r\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-36006)",
+    "cves": [
+      {
+        "id": "CVE-2024-35801",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36006",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1769": {
+    "id": "openEuler-SA-2024-1769",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1769",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.(CVE-2024-24789)",
+    "cves": [
+      {
+        "id": "CVE-2024-24789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24789",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1977": {
+    "id": "openEuler-SA-2023-1977",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1977",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+    "cves": [
+      {
+        "id": "CVE-2023-51385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1181": {
+    "id": "openEuler-SA-2023-1181",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1181",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw found in the Linux Kernel. The missing check causes a type confusion when issuing a list_entry()\non an empty report_list. The problem is caused by the assumption that the device must have valid report_list. While this will be true for all normal HID devices, a suitably malicious device can violate the assumption.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456\nhttps://www.openwall.com/lists/oss-security/2023/01/17/3(CVE-2023-1073)\r\n\r\nIn nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.(CVE-2023-1095)",
+    "cves": [
+      {
+        "id": "CVE-2023-1095",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1095",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-2000": {
+    "id": "openEuler-SA-2023-2000",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-2000",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881)",
+    "cves": [
+      {
+        "id": "CVE-2022-41881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1247": {
+    "id": "openEuler-SA-2023-1247",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1247",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nWhen using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.(CVE-2023-28708)",
+    "cves": [
+      {
+        "id": "CVE-2023-28708",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28708",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1445": {
+    "id": "openEuler-SA-2023-1445",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1445",
+    "title": "An update for elfutils is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Elfutils is a collection of utilities, including stack (to show backtraces), nm (for listing symbols from object files), size (for listing the section sizes of an object or archive file), strip (for discarding symbols), elflint (to check for well-formed ELF files) and elfcompress (to compress or decompress ELF sections). Also included are helper libraries which implement DWARF, ELF, and machine-specific ELF handling and process introspection. It also provides a DSO which allows reading and writing ELF files on a high level. Third party programs depend on this package to read internals of ELF files. Yama sysctl setting to enable default attach scope settings enabling programs to use ptrace attach, access to /proc/PID/{mem,personality,stack,syscall}, and the syscalls process_vm_readv and process_vm_writev which are used for interprocess services, communication and introspection (like synchronisation, signaling, debugging, tracing and profiling) of processes.\n\nSecurity Fix(es):\n\nIn elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.(CVE-2021-33294)",
+    "cves": [
+      {
+        "id": "CVE-2021-33294",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1077": {
+    "id": "openEuler-SA-2024-1077",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1077",
+    "title": "An update for rear is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Relax-and-Recover is a setup-and-forget Linux bare metal disaster recovery solution. It is easy to set up and requires no maintenance so there is no excuse for not using it.\r\n\r\nSecurity Fix(es):\r\n\r\nRelax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.(CVE-2024-23301)",
+    "cves": [
+      {
+        "id": "CVE-2024-23301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23301",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1273": {
+    "id": "openEuler-SA-2024-1273",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1273",
+    "title": "An update for A-Tune-Collector is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A-Tune-Collector is used to collect various system resources.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the get method in the sched.py file in the A-Tune-Collector software package is used to obtain the process ID, shell command combination and injection risks exist. This flaw could lead to remote arbitrary command execution.(CVE-2024-24897)",
+    "cves": [
+      {
+        "id": "CVE-2024-24897",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1104": {
+    "id": "openEuler-SA-2023-1104",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1104",
+    "title": "An update for tar is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.(CVE-2022-48303)",
+    "cves": [
+      {
+        "id": "CVE-2022-48303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1716": {
+    "id": "openEuler-SA-2023-1716",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1716",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.(CVE-2023-0809)",
+    "cves": [
+      {
+        "id": "CVE-2023-0809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1925": {
+    "id": "openEuler-SA-2023-1925",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1925",
+    "title": "An update for activemq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\r\n\r\nOnce an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. \r\n\r\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\r\n\r\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\r\n\r\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest is able to invoke\nthrough refection.\r\n\r\nAnd then, RCE is able to be achieved via\njdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\r\n\r\n1 Call newRecording.\r\n\r\n2 Call setConfiguration. And a webshell data hides in it.\r\n\r\n3 Call startRecording.\r\n\r\n4 Call copyTo method. The webshell will be written to a .jsp file.\r\n\r\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n(CVE-2022-41678)",
+    "cves": [
+      {
+        "id": "CVE-2022-41678",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41678",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1895": {
+    "id": "openEuler-SA-2023-1895",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1895",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.(CVE-2023-1544)",
+    "cves": [
+      {
+        "id": "CVE-2023-1544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1774": {
+    "id": "openEuler-SA-2023-1774",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1774",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n(CVE-2023-3592)\r\n\r\nIn Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\r\n\r\n\n(CVE-2023-5632)",
+    "cves": [
+      {
+        "id": "CVE-2023-5632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1428": {
+    "id": "openEuler-SA-2023-1428",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1428",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \n\nSecurity Fix(es):\n\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)",
+    "cves": [
+      {
+        "id": "CVE-2022-4304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1969": {
+    "id": "openEuler-SA-2023-1969",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1969",
+    "title": "An update for ncurses is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The ncurses (new curses) library is a free software emulation of  curses in System V Release 4.0 (SVr4), and more. It uses terminfo  format, supports pads and color and multiple highlights and forms  characters and function-key mapping, and has all the other SVr4-curses  enhancements over BSD curses. SVr4 curses became the basis of X/Open Curses.\r\n\r\nSecurity Fix(es):\r\n\r\nNCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().(CVE-2023-50495)",
+    "cves": [
+      {
+        "id": "CVE-2023-50495",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1638": {
+    "id": "openEuler-SA-2023-1638",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1638",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\r\n\r\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\r\n\r\n(CVE-2023-4206)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\r\n\r\n(CVE-2023-4207)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\r\n\r\n(CVE-2023-4208)\r\n\r\nA use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\r\n\r\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\r\n\r\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\r\n\r\n(CVE-2023-4622)",
+    "cves": [
+      {
+        "id": "CVE-2023-4622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1758": {
+    "id": "openEuler-SA-2023-1758",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1758",
+    "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nA reachable assertion was found in avahi_escape_label.\r\n\r\nReferences:\r\n\r\nhttps://github.com/lathiat/avahi/issues/454(CVE-2023-38470)",
+    "cves": [
+      {
+        "id": "CVE-2023-38470",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38470",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1202": {
+    "id": "openEuler-SA-2021-1202",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1202",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.(CVE-2021-3537)\r\n\r\nThere's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.(CVE-2021-3518)\r\n\r\nThere is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.(CVE-2021-3517)",
+    "cves": [
+      {
+        "id": "CVE-2021-3517",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3517",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1028": {
+    "id": "openEuler-SA-2021-1028",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1028",
+    "title": "An update for vorbis-tools is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Ogg Vorbis is a fully open, non-proprietary, patent-and-royalty-free, general-purpose compressed audio format for mid to high quality (8kHz-48.0kHz, 16+ bit, polyphonic) audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. This places Vorbis in the same competitive class as audio representations such as MPEG-4 (AAC), and similar to, but higher performance than MPEG-1/2 audio layer 3, MPEG-4 audio (TwinVQ), WMA and PAC.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\noggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.(CVE-2014-9640)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2014-9640",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9640",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1203": {
+    "id": "openEuler-SA-2021-1203",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1203",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests False` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.(CVE-2021-29509)",
+    "cves": [
+      {
+        "id": "CVE-2021-29509",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1340": {
+    "id": "openEuler-SA-2021-1340",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1340",
+    "title": "An update for sssd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3621)",
+    "cves": [
+      {
+        "id": "CVE-2021-3621",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3621",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1902": {
+    "id": "openEuler-SA-2022-1902",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1902",
+    "title": "An update for unzip is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "UnZip is an extraction utility for archives compressed in .zip format. UnZip will list, test, or extract files from a .zip archive, commonly found on MS-DOS systems. The default behavior (with no options) is to extract all files into the current directory (and subdirectorie below it) from the specified zipfile.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.(CVE-2021-4217)",
+    "cves": [
+      {
+        "id": "CVE-2021-4217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1691": {
+    "id": "openEuler-SA-2024-1691",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1691",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nnscd: Stack-based buffer overflow in netgroup cache\r\n\r\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow.  This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\n(CVE-2024-33599)\r\n\r\nnscd: Null pointer crashes after notfound response\r\n\r\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference.  This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33600)\r\n\r\nnscd: netgroup cache may terminate daemon on memory allocation failure\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients.  The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33601)\r\n\r\nnscd: netgroup cache assumes NSS callback uses in-buffer strings\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33602)",
+    "cves": [
+      {
+        "id": "CVE-2024-33602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1848": {
+    "id": "openEuler-SA-2024-1848",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1848",
+    "title": "An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files  https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\r\n\r\n\r\n\r\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\r\n\r\nBuffer overflow in \"rcar_dev_init\"  due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
+    "cves": [
+      {
+        "id": "CVE-2024-6564",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1055": {
+    "id": "openEuler-SA-2023-1055",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1055",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.(CVE-2023-23559)\n\nNo description is available for this CVE.(CVE-2023-0047)",
+    "cves": [
+      {
+        "id": "CVE-2023-0047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0047",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1950": {
+    "id": "openEuler-SA-2023-1950",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1950",
+    "title": "An update for avro is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Apache Avro is a data serialization system.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.(CVE-2021-43045)",
+    "cves": [
+      {
+        "id": "CVE-2021-43045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43045",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1814": {
+    "id": "openEuler-SA-2023-1814",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1814",
+    "title": "An update for openjdk-latest is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and  22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22025)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22081)",
+    "cves": [
+      {
+        "id": "CVE-2023-22081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1410": {
+    "id": "openEuler-SA-2021-1410",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1410",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is a highly configurable text editor for efficiently creating and changing any kind of text.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3875)\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3872)",
+    "cves": [
+      {
+        "id": "CVE-2021-3872",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3872",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1472": {
+    "id": "openEuler-SA-2024-1472",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1472",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n(CVE-2024-28180)",
+    "cves": [
+      {
+        "id": "CVE-2024-28180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1122": {
+    "id": "openEuler-SA-2021-1122",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1122",
+    "title": "An update for velocity-tools is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The VelocityTools project is a collection of useful Java classes (aka tools), as well as infrastructure to easily, automatically and transparently make these tools available to Velocity templates. Project include easy integration of Velocity into the view-layer of web applications (via the VelocityViewTag and VelocityViewServlet) and integration with Struts 1.x applications.\r\n\r\nSecurity Fix(es):\r\n\r\nThe default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.(CVE-2020-13959)",
+    "cves": [
+      {
+        "id": "CVE-2020-13959",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13959",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1079": {
+    "id": "openEuler-SA-2021-1079",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1079",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nrfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.(CVE-2021-3181)",
+    "cves": [
+      {
+        "id": "CVE-2021-3181",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3181",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1154": {
+    "id": "openEuler-SA-2023-1154",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1154",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.(CVE-2023-22796)",
+    "cves": [
+      {
+        "id": "CVE-2023-22796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22796",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1781": {
+    "id": "openEuler-SA-2022-1781",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1781",
+    "title": "An update for log4j12 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "With log4j it is possible to enable logging at runtime without modifying the application binary.\r\n\r\nSecurity Fix(es):\r\n\r\nBy design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2022-23305)",
+    "cves": [
+      {
+        "id": "CVE-2022-23305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1814": {
+    "id": "openEuler-SA-2022-1814",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1814",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\n\nSecurity Fix(es):\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).(CVE-2021-2388)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2021-2369)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2021-35550)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35565)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).(CVE-2021-2341)",
+    "cves": [
+      {
+        "id": "CVE-2021-2341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2341",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1647": {
+    "id": "openEuler-SA-2022-1647",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1647",
+    "title": "An update for subversion is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Subversion exists to be universally recognized and adopted as an open-source, centralized version control system characterized by its reliability as a safe haven for valuable data; the simplicity of its model and usage; and its ability to support the needs of a wide variety of users and projects, from individuals to large-scale enterprise operations.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal copyfrom paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the copyfrom path of the original. This also reveals the fact that the node was copied. Only the copyfrom path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.(CVE-2021-28544)\n\nSubversion s mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.(CVE-2022-24070)",
+    "cves": [
+      {
+        "id": "CVE-2022-24070",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24070",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2039": {
+    "id": "openEuler-SA-2022-2039",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2039",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "CURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request.(CVE-2022-32221)",
+    "cves": [
+      {
+        "id": "CVE-2022-32221",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1898": {
+    "id": "openEuler-SA-2023-1898",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1898",
+    "title": "An update for freeimage is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "FreeImage is a library project for developers who would like to support popular graphics image formats (PNG, JPEG, TIFF, BMP and others). Some highlights are: extremely simple in use, not limited to the local PC (unique FreeImageIO) and Plugin driven!\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginBMP.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.(CVE-2020-21427)\r\n\r\nBuffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.(CVE-2020-21428)",
+    "cves": [
+      {
+        "id": "CVE-2020-21428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21428",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1276": {
+    "id": "openEuler-SA-2021-1276",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1276",
+    "title": "An update for maven is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation from a central piece of information.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html(CVE-2021-26291)",
+    "cves": [
+      {
+        "id": "CVE-2021-26291",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2095": {
+    "id": "openEuler-SA-2022-2095",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2095",
+    "title": "An update for ntfs-3g is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "NTFS-3G is a stable, open source, GPL licensed, POSIX, read/write NTFS driver for Linux and many other operating systems.It provides safe handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 NTFS file systems.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.(CVE-2022-40284)",
+    "cves": [
+      {
+        "id": "CVE-2022-40284",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40284",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2003": {
+    "id": "openEuler-SA-2022-2003",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2003",
+    "title": "An update for mariadb-connector-c is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package is used for connecting C/C++ programs to MariaDB and MySQL database.\r\n\r\nSecurity Fix(es):\r\n\r\nzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434)",
+    "cves": [
+      {
+        "id": "CVE-2022-37434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1009": {
+    "id": "openEuler-SA-2021-1009",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1009",
+    "title": "An update for ceph is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nAn issue was discovered in Ceph through 13.2.9. A POST request with an invalid tagging XML can crash the RGW process by triggering a NULL pointer exception.(CVE-2020-12059)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-12059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1559": {
+    "id": "openEuler-SA-2022-1559",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1559",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace.  A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.(CVE-2021-4159)\r\n\r\nAn issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.(CVE-2022-25258)\r\n\r\nAn issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.(CVE-2022-25375)\r\n\r\nA flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.(CVE-2022-0617)",
+    "cves": [
+      {
+        "id": "CVE-2022-0617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0617",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1376": {
+    "id": "openEuler-SA-2024-1376",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1376",
+    "title": "An update for mod_security is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279)",
+    "cves": [
+      {
+        "id": "CVE-2022-48279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1791": {
+    "id": "openEuler-SA-2023-1791",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1791",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Qt is a software toolkit for developing applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.(CVE-2023-33285)",
+    "cves": [
+      {
+        "id": "CVE-2023-33285",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33285",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1562": {
+    "id": "openEuler-SA-2022-1562",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1562",
+    "title": "An update for python-py is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Library with cross-python path, ini-parsing, io, code, log facilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.(CVE-2020-29651)",
+    "cves": [
+      {
+        "id": "CVE-2020-29651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29651",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1137": {
+    "id": "openEuler-SA-2024-1137",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1137",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)",
+    "cves": [
+      {
+        "id": "CVE-2023-0465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1314": {
+    "id": "openEuler-SA-2024-1314",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1314",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36764)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45230)\r\n\r\n EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45232)\r\n\r\n EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45233)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when\r\n\r\n\r\n\r\n\r\n\r\nhandling Server ID option \r\n\r\n\r\n\r\n from a DHCPv6 proxy Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45235)",
+    "cves": [
+      {
+        "id": "CVE-2023-45235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1200": {
+    "id": "openEuler-SA-2021-1200",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1200",
+    "title": "An update for hivex is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Hivex is a library for extracting the contents of Windows Registry \"hive\" files.  It is designed to be secure against buggy or malicious registry files.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to crash. The highest threat from this vulnerability is to system availability.(CVE-2021-3504)",
+    "cves": [
+      {
+        "id": "CVE-2021-3504",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3504",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1027": {
+    "id": "openEuler-SA-2021-1027",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1027",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nThe X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).(CVE-2020-1971)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-1971",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1869": {
+    "id": "openEuler-SA-2022-1869",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1869",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nlibtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.(CVE-2022-2867)\r\n\r\nlibtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.(CVE-2022-2868)\r\n\r\nlibtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.(CVE-2022-2869)",
+    "cves": [
+      {
+        "id": "CVE-2022-2869",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2869",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1520": {
+    "id": "openEuler-SA-2023-1520",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1520",
+    "title": "An update for python3 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\n\nSecurity Fix(es):\n\nDirectory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.(CVE-2007-4559)",
+    "cves": [
+      {
+        "id": "CVE-2007-4559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1910": {
+    "id": "openEuler-SA-2023-1910",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1910",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.(CVE-2022-39348)",
+    "cves": [
+      {
+        "id": "CVE-2022-39348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39348",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1743": {
+    "id": "openEuler-SA-2023-1743",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1743",
+    "title": "An update for libcue is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Libcue is intended for parsing a so-called cue sheet from a char string or a file pointer. For handling of the parsed data a convenient API is available.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.(CVE-2023-43641)",
+    "cves": [
+      {
+        "id": "CVE-2023-43641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43641",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1937": {
+    "id": "openEuler-SA-2022-1937",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1937",
+    "title": "An update for gfbgraph is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GLib/GObject wrapper for the Facebook Graph API that integrates with GNOME Online Accounts.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.(CVE-2021-39358)",
+    "cves": [
+      {
+        "id": "CVE-2021-39358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39358",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1358": {
+    "id": "openEuler-SA-2024-1358",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1358",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThere may be information leakage vulnerabilities in the tcm_open function in drivers/staging/gmjstcm/tcm.c  The tcm_open function does not set the memory block to 0 when allocating memory (kmalloc), which may lead to information leakage vulnerabilities.(CVE-2024-24891)\r\n\r\nThere may be information leakage vulnerabilities in the tcm_read function in drivers/staging/gmjstcm/tcm.c  The tcm_read function did not set this memory to 0 after calling the copy_to_user function, causing the user to read the information in the last tcm instruction.(CVE-2024-24898)",
+    "cves": [
+      {
+        "id": "CVE-2024-24898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24898",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1845": {
+    "id": "openEuler-SA-2024-1845",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1845",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nThe iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n(CVE-2024-2961)",
+    "cves": [
+      {
+        "id": "CVE-2024-2961",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1243": {
+    "id": "openEuler-SA-2023-1243",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1243",
+    "title": "An update for tcpdump is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces.  Tcpdump can display all of the packet headers, or just the ones that match particular criteria.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet.(CVE-2023-1801)",
+    "cves": [
+      {
+        "id": "CVE-2023-1801",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1801",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2014": {
+    "id": "openEuler-SA-2022-2014",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2014",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel(CVE-2022-20421)\r\n\r\nIn emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel(CVE-2022-20422)\n\nmm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.(CVE-2022-42703)\n\nroccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.(CVE-2022-41850)",
+    "cves": [
+      {
+        "id": "CVE-2022-41850",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41850",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1232": {
+    "id": "openEuler-SA-2021-1232",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1232",
+    "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\n\nSecurity Fix(es):\n\nA flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.(CVE-2021-3468)",
+    "cves": [
+      {
+        "id": "CVE-2021-3468",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3468",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1185": {
+    "id": "openEuler-SA-2021-1185",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1185",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21350)\n\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream s security framework with a whitelist limited to the minimal required types. If you rely on XStream s default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21349)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21348)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21351)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21341)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21342)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21343)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21344)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21345)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21346)\r\n\r\nXStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.(CVE-2021-21347)",
+    "cves": [
+      {
+        "id": "CVE-2021-21347",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21347",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2117": {
+    "id": "openEuler-SA-2022-2117",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2117",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url(CVE-2022-42895)\r\n\r\nThere are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url(CVE-2022-42896)",
+    "cves": [
+      {
+        "id": "CVE-2022-42896",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42896",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1202": {
+    "id": "openEuler-SA-2023-1202",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1202",
+    "title": "An update for undertow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Java web server using non-blocking IO\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.(CVE-2023-1108)",
+    "cves": [
+      {
+        "id": "CVE-2023-1108",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1278": {
+    "id": "openEuler-SA-2021-1278",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1278",
+    "title": "An update for rubygem-addressable is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Addressable is a replacement for the URI implementation that is part of Ruby's standard library. It more closely conforms to the relevant RFCs and adds support for URI and URL templates.\r\n\r\nSecurity Fix(es):\r\n\r\nAddressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.(CVE-2021-32740)",
+    "cves": [
+      {
+        "id": "CVE-2021-32740",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1017": {
+    "id": "openEuler-SA-2021-1017",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1017",
+    "title": "An update for thrift is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Apache Thrift software framework for cross-language services development combines a software stack with a code generation engine to build services that work efficiently and seamlessly between C++, Java, Python, and other languages.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nIn Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.(CVE-2019-0205)\\r\\n\\r\\n\r\nIn Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.(CVE-2019-0210)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-0210",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0210",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1197": {
+    "id": "openEuler-SA-2024-1197",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1197",
+    "title": "An update for python-jwcrypto is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Implements JWK, JWS, JWE specifications with python-cryptography\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.(CVE-2023-6681)",
+    "cves": [
+      {
+        "id": "CVE-2023-6681",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6681",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1237": {
+    "id": "openEuler-SA-2024-1237",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1237",
+    "title": "An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Is an open source JDBC driver written in Pure Java (Type 4), and communicates in the PostgreSQL native network protocol.\r\n\r\nSecurity Fix(es):\r\n\r\npgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.(CVE-2024-1597)",
+    "cves": [
+      {
+        "id": "CVE-2024-1597",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1597",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1136": {
+    "id": "openEuler-SA-2024-1136",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1136",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)",
+    "cves": [
+      {
+        "id": "CVE-2023-0465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1371": {
+    "id": "openEuler-SA-2021-1371",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1371",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3748)",
+    "cves": [
+      {
+        "id": "CVE-2021-3748",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3748",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1393": {
+    "id": "openEuler-SA-2024-1393",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1393",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvbdev: Fix memory leak in dvb_media_device_free()\r\n\r\ndvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`\nbefore setting it to NULL, as documented in include/media/media-device.h:\n\"The media_entity instance itself must be freed explicitly by the driver\nif required.\"(CVE-2020-36777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: sprd: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in sprd_i2c_master_xfer() and sprd_i2c_remove().\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36780)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: cadence: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in functions cdns_i2c_master_xfer and cdns_reg_slave.\r\n\r\nHowever, pm_runtime_get_sync will increment pm usage counter\neven failed. Forgetting to putting operation will result in a\nreference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36784)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hso: fix null-ptr-deref during tty device unregistration\r\n\r\nMultiple ttys try to claim the same the minor number causing a double\nunregistration of the same device. The first unregistration succeeds\nbut the next one results in a null-ptr-deref.\r\n\r\nThe get_free_serial_index() function returns an available minor number\nbut doesn't assign it immediately. The assignment is done by the caller\nlater. But before this assignment, calls to get_free_serial_index()\nwould return the same minor number.\r\n\r\nFix this by modifying get_free_serial_index to assign the minor number\nimmediately after one is found to be and rename it to obtain_minor()\nto better reflect what it does. Similary, rename set_serial_by_index()\nto release_minor() and modify it to free up the minor number of the\ngiven hso_serial. Every obtain_minor() should have corresponding\nrelease_minor() call.(CVE-2021-46904)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFC: st21nfca: Fix memory leak in device probe and remove\r\n\r\n'phy->pending_skb' is alloced when device probe, but forgot to free\nin the error handling path and remove path, this cause memory leak\nas follows:\r\n\r\nunreferenced object 0xffff88800bc06800 (size 512):\n  comm \"8\", pid 11775, jiffies 4295159829 (age 9.032s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450\n    [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0\n    [<000000005fea522c>] __alloc_skb+0x124/0x380\n    [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2\r\n\r\nFix it by freeing 'pending_skb' in error and remove.(CVE-2021-46924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: intel-sdw-acpi: harden detection of controller\r\n\r\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\r\n\r\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.(CVE-2021-46926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Clear stale IIR value on instruction access rights trap\r\n\r\nWhen a trap 7 (Instruction access rights) occurs, this means the CPU\ncouldn't execute an instruction due to missing execute permissions on\nthe memory region.  In this case it seems the CPU didn't even fetched\nthe instruction from memory and thus did not store it in the cr19 (IIR)\nregister before calling the trap handler. So, the trap handler will find\nsome random old stale value in cr19.\r\n\r\nThis patch simply overwrites the stale IIR value with a constant magic\n\"bad food\" value (0xbaadf00d), in the hope people don't start to try to\nunderstand the various random IIR values in trap 7 dumps.(CVE-2021-46928)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: validate user data in compat ioctl\r\n\r\nWrong user data may cause warning in i2c_transfer(), ex: zero msgs.\nUserspace should not be able to trigger warnings, so this patch adds\nvalidation checks for user data in compact ioctl to prevent reported\nwarnings(CVE-2021-46934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix async_free_space accounting for empty parcels\r\n\r\nIn 4.13, commit 74310e06be4d (\"android: binder: Move buffer out of area shared with user space\")\nfixed a kernel structure visibility issue. As part of that patch,\nsizeof(void *) was used as the buffer size for 0-length data payloads so\nthe driver could detect abusive clients sending 0-length asynchronous\ntransactions to a server by enforcing limits on async_free_size.\r\n\r\nUnfortunately, on the \"free\" side, the accounting of async_free_space\ndid not add the sizeof(void *) back. The result was that up to 8-bytes of\nasync_free_space were leaked on every async transaction of 8-bytes or\nless.  These small transactions are uncommon, so this accounting issue\nhas gone undetected for several years.\r\n\r\nThe fix is to use \"buffer_size\" (the allocated buffer size) instead of\n\"size\" (the logical buffer size) when updating the async_free_space\nduring the free operation. These are the same except for this\ncorner case of asynchronous transactions with payloads < 8 bytes.(CVE-2021-46935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFS: fs_context: validate UDP retrans to prevent shift out-of-bounds\r\n\r\nFix shift out-of-bounds in xprt_calc_majortimeo(). This is caused\nby a garbage timeout (retrans) mount option being passed to nfs mount,\nin this case from syzkaller.\r\n\r\nIf the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift\nvalue for a 64-bit long integer, so 'retrans' cannot be >= 64.\nIf it is >= 64, fail the mount and return an error.(CVE-2021-46952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhfsplus: prevent corruption in shrinking truncate\r\n\r\nI believe there are some issues introduced by commit 31651c607151\n(\"hfsplus: avoid deadlock on file truncation\")\r\n\r\nHFS+ has extent records which always contains 8 extents.  In case the\nfirst extent record in catalog file gets full, new ones are allocated from\nextents overflow file.\r\n\r\nIn case shrinking truncate happens to middle of an extent record which\nlocates in extents overflow file, the logic in hfsplus_file_truncate() was\nchanged so that call to hfs_brec_remove() is not guarded any more.\r\n\r\nRight action would be just freeing the extents that exceed the new size\ninside extent record by calling hfsplus_free_extents(), and then check if\nthe whole extent record should be removed.  However since the guard\n(blk_cnt > start) is now after the call to hfs_brec_remove(), this has\nunfortunate effect that the last matching extent record is removed\nunconditionally.\r\n\r\nTo reproduce this issue, create a file which has at least 10 extents, and\nthen perform shrinking truncate into middle of the last extent record, so\nthat the number of remaining extents is not under or divisible by 8.  This\ncauses the last extent record (8 extents) to be removed totally instead of\ntruncating into middle of it.  Thus this causes corruption, and lost data.\r\n\r\nFix for this is simply checking if the new truncated end is below the\nstart of this extent record, making it safe to remove the full extent\nrecord.  However call to hfs_brec_remove() can't be moved to it's previous\nplace since we're dropping ->tree_lock and it can cause a race condition\nand the cached info being invalidated possibly corrupting the node data.\r\n\r\nAnother issue is related to this one.  When entering into the block\n(blk_cnt > start) we are not holding the ->tree_lock.  We break out from\nthe loop not holding the lock, but hfs_find_exit() does unlock it.  Not\nsure if it's possible for someone else to take the lock under our feet,\nbut it can cause hard to debug errors and premature unlocking.  Even if\nthere's no real risk of it, the locking should still always be kept in\nbalance.  Thus taking the lock now just before the check.(CVE-2021-46989)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/kvm: Teardown PV features on boot CPU as well\r\n\r\nVarious PV features (Async PF, PV EOI, steal time) work through memory\nshared with hypervisor and when we restore from hibernation we must\nproperly teardown all these features to make sure hypervisor doesn't\nwrite to stale locations after we jump to the previously hibernated kernel\n(which can try to place anything there). For secondary CPUs the job is\nalready done by kvm_cpu_down_prepare(), register syscore ops to do\nthe same for boot CPU.(CVE-2021-47112)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: abort in rename_exchange if we fail to insert the second ref\r\n\r\nError injection stress uncovered a problem where we'd leave a dangling\ninode ref if we failed during a rename_exchange.  This happens because\nwe insert the inode ref for one side of the rename, and then for the\nother side.  If this second inode ref insert fails we'll leave the first\none dangling and leave a corrupt file system behind.  Fix this by\naborting if we did the insert for the first inode ref.(CVE-2021-47113)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix data corruption by fallocate\r\n\r\nWhen fallocate punches holes out of inode size, if original isize is in\nthe middle of last cluster, then the part from isize to the end of the\ncluster will be zeroed with buffer write, at that time isize is not yet\nupdated to match the new size, if writeback is kicked in, it will invoke\nocfs2_writepage()->block_write_full_page() where the pages out of inode\nsize will be dropped.  That will cause file corruption.  Fix this by\nzero out eof blocks when extending the inode size.\r\n\r\nRunning the following command with qemu-image 4.2.1 can get a corrupted\ncoverted image file easily.\r\n\r\n    qemu-img convert -p -t none -T none -f qcow2 $qcow_image \\\n             -O qcow2 -o compat=1.1 $qcow_image.conv\r\n\r\nThe usage of fallocate in qemu is like this, it first punches holes out\nof inode size, then extend the inode size.\r\n\r\n    fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0\n    fallocate(11, 0, 2276196352, 65536) = 0\r\n\r\nv1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html\nv2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/(CVE-2021-47114)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: caif: fix memory leak in caif_device_notify\r\n\r\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error(CVE-2021-47122)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\napparmor: avoid crash when parsed profile name is empty\r\n\r\nWhen processing a packed profile in unpack_profile() described like\r\n\r\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\r\n\r\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\r\n\r\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\r\n\r\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\r\n\r\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\r\n\r\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2023-52443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\r\n\r\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\r\n\r\nkv_parse_power_table\n  |-> kv_dpm_init\n        |-> kv_dpm_sw_init\n\t      |-> kv_dpm_fini\r\n\r\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/lbr: Filter vsyscall addresses\r\n\r\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\r\n\r\n    __insn_get_emulate_prefix()\n    insn_get_emulate_prefix()\n    insn_get_prefixes()\n    insn_get_opcode()\n    decode_branch_type()\n    get_branch_type()\n    intel_pmu_lbr_filter()\n    intel_pmu_handle_irq()\n    perf_event_nmi_handler()\r\n\r\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\r\n\r\n    peek_nbyte_next(insn_byte_t, insn, i)\r\n\r\nWithin this macro, this dereference occurs:\r\n\r\n    (insn)->next_byte\r\n\r\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\r\n\r\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.(CVE-2023-52476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\r\n\r\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\r\n\r\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\r\n\r\nnfc_llcp_sock_get_sn() has a similar problem.\r\n\r\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\r\n\r\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\r\n\r\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\r\n\r\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop().(CVE-2023-52509)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diNewExt\r\n\r\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n\r\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\r\n\r\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\r\n\r\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).(CVE-2023-52599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix uaf in jfs_evict_inode\r\n\r\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\r\n\r\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.(CVE-2023-52600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbAdjTree\r\n\r\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/(CVE-2023-52601)\r\n\r\nInteger Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.(CVE-2024-23307)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\r\n\r\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\r\n\r\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n                                                 ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\r\n\r\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\r\n\r\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\r\n\r\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\r\n\r\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: signal epoll threads of self-work\r\n\r\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\r\n\r\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.(CVE-2024-26606)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntomoyo: fix UAF write bug in tomoyo_write_control()\r\n\r\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held.  Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.(CVE-2024-26622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: call sock_orphan() at release time\r\n\r\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\r\n\r\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\r\n\r\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\r\n\r\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0xc4/0x620 mm/kasan/report.c:488\n  kasan_report+0xda/0x110 mm/kasan/report.c:601\n  list_empty include/linux/list.h:373 [inline]\n  waitqueue_active include/linux/wait.h:127 [inline]\n  sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n  sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n  skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n  skb_release_all net/core/skbuff.c:1092 [inline]\n  napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n  e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n  e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n  e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n  __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x956/0xe90 net/core/dev.c:6778\n  __do_softirq+0x21a/0x8de kernel/softirq.c:553\n  run_ksoftirqd kernel/softirq.c:921 [inline]\n  run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n  smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n  kthread+0x2c6/0x3a0 kernel/kthread.c:388\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\r\n\r\nAllocated by task 5167:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:314 [inline]\n  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3813 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n  alloc_inode_sb include/linux/fs.h:3019 [inline]\n  sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n  alloc_inode+0x5d/0x220 fs/inode.c:260\n  new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n  sock_alloc+0x40/0x270 net/socket.c:634\n  __sock_create+0xbc/0x800 net/socket.c:1535\n  sock_create net/socket.c:1622 [inline]\n  __sys_socket_create net/socket.c:1659 [inline]\n  __sys_socket+0x14c/0x260 net/socket.c:1706\n  __do_sys_socket net/socket.c:1720 [inline]\n  __se_sys_socket net/socket.c:1718 [inline]\n  __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFreed by task 0:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n  poison_slab_object mm/kasan/common.c:241 [inline]\n  __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2121 [inlin\n---truncated---(CVE-2024-26625)",
+    "cves": [
+      {
+        "id": "CVE-2024-26625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1823": {
+    "id": "openEuler-SA-2022-1823",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1823",
+    "title": "An update for redis6 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.(CVE-2022-24735)\r\n\r\nRedis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.(CVE-2022-24736)",
+    "cves": [
+      {
+        "id": "CVE-2022-24736",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24736",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1875": {
+    "id": "openEuler-SA-2022-1875",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1875",
+    "title": "An update for rsync is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Rsync is an open source utility that provides fast incremental file transfer.It uses the \"rsync algorithm\" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in the files across the link, without requiring that both sets of files are present at one of the ends of the link beforehand.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).(CVE-2022-29154)",
+    "cves": [
+      {
+        "id": "CVE-2022-29154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29154",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1033": {
+    "id": "openEuler-SA-2021-1033",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1033",
+    "title": "An update for sane-backends is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners and other image acquisition devices like digital still and video cameras.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nA NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075.(CVE-2020-12867)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-12867",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12867",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1863": {
+    "id": "openEuler-SA-2024-1863",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1863",
+    "title": "An update for kernel is now available for openEuler-24.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\r\n\r\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.(CVE-2024-36017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\r\n\r\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\r\n\r\nTest script:\r\n\r\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\r\n\r\nTest result:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n <TASK>\n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\r\n\r\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\r\n\r\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t  if (!dev->nullb)\n\t\t\t\t  // still set while gendisk is deleted\n\t\t\t\t   return 0\n\t\t\t\t  blk_mq_update_nr_hw_queues\n dev->nullb = NULL\r\n\r\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.(CVE-2024-36478)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing/probes: fix error check in parse_btf_field()\r\n\r\nbtf_find_struct_member() might return NULL or an error via the\nERR_PTR() macro. However, its caller in parse_btf_field() only checks\nfor the NULL condition. Fix this by using IS_ERR() and returning the\nerror up the stack.(CVE-2024-36481)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\r\n\r\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock.  Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.(CVE-2024-36924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\r\n\r\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.(CVE-2024-36929)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/cio: Ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.(CVE-2024-36931)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdkfd: range check cp bad op exception interrupts\r\n\r\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.(CVE-2024-36951)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-cgroup: fix list corruption from reorder of WRITE ->lqueued\r\n\r\n__blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start\nis being executed.\r\n\r\nIf WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in\nthe loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one\nstat instance being added in blk_cgroup_bio_start(), then the local\nlist in __blkcg_rstat_flush() could be corrupted.\r\n\r\nFix the issue by adding one barrier.(CVE-2024-38384)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\r\n\r\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\r\n\r\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\r\n\r\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\r\n\r\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\r\n\r\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\r\n\r\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\r\n\r\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\r\n\r\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\r\n\r\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix potential glock use-after-free on unmount\r\n\r\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically.  Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace.  This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\r\n\r\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\r\n\r\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.(CVE-2024-38570)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu/mes: fix use-after-free issue\r\n\r\nDelete fence fallback timer to fix the ramdom\nuse-after-free issue.\r\n\r\nv2: move to amdgpu_mes.c(CVE-2024-38581)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix use-after-free of timer for log writer thread\r\n\r\nPatch series \"nilfs2: fix log writer related issues\".\r\n\r\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis.  Details are described in each commit log.\r\n\r\n\nThis patch (of 3):\r\n\r\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\r\n\r\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\r\n\r\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\r\n\r\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\r\n\r\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\r\n\r\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.(CVE-2024-38586)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nopenrisc: traps: Don't send signals to kernel mode threads\r\n\r\nOpenRISC exception handling sends signals to user processes on floating\npoint exceptions and trap instructions (for debugging) among others.\nThere is a bug where the trap handling logic may send signals to kernel\nthreads, we should not send these signals to kernel threads, if that\nhappens we treat it as an error.\r\n\r\nThis patch adds conditions to die if the kernel receives these\nexceptions in kernel mode code.(CVE-2024-38614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: HCI: Remove HCI_AMP support\r\n\r\nSince BT_HS has been remove HCI_AMP controllers no longer has any use so\nremove it along with the capability of creating AMP controllers.\r\n\r\nSince we no longer need to differentiate between AMP and Primary\ncontrollers, as only HCI_PRIMARY is left, this also remove\nhdev->dev_type altogether.(CVE-2024-38620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: fix potential memory leak in vfio_intx_enable()\r\n\r\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ap: Fix crash in AP internal function modify_bitmap()\r\n\r\nA system crash like this\r\n\r\n  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n  Fault in home space mode while using kernel ASCE.\n  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n  Oops: 0038 ilc:3 [#1] PREEMPT SMP\n  Modules linked in: mlx5_ib ...\n  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n  Hardware name: IBM 3931 A01 704 (LPAR)\n  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a\n  0000014b75e7b600: 18b2                lr      %r11,%r2\n  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616\n  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)\n  0000014b75e7b60c: a7680001            lhi     %r6,1\n  0000014b75e7b610: 187b                lr      %r7,%r11\n  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654\n  0000014b75e7b616: 18e9                lr      %r14,%r9\n  Call Trace:\n  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n  [<0000014b75e7b758>] apmask_store+0x68/0x140\n  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n  [<0000014b75598524>] vfs_write+0x1b4/0x448\n  [<0000014b7559894c>] ksys_write+0x74/0x100\n  [<0000014b7618a440>] __do_syscall+0x268/0x328\n  [<0000014b761a3558>] system_call+0x70/0x98\n  INFO: lockdep is turned off.\n  Last Breaking-Event-Address:\n  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\r\n\r\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\r\n\r\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.(CVE-2024-38661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: bcm: dvp: Assign ->num before accessing ->hws\r\n\r\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nclk_dvp_probe() due to ->num being assigned after ->hws has been\naccessed:\r\n\r\n  UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-bcm2711-dvp.c:59:2\n  index 0 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\r\n\r\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning.(CVE-2024-39462)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: v4l: async: Fix notifier list entry init\r\n\r\nstruct v4l2_async_notifier has several list_head members, but only\nwaiting_list and done_list are initialized. notifier_entry was kept\n'zeroed' leading to an uninitialized list_head.\nThis results in a NULL-pointer dereference if csi2_async_register() fails,\ne.g. node for remote endpoint is disabled, and returns -ENOTCONN.\nThe following calls to v4l2_async_nf_unregister() results in a NULL\npointer dereference.\nAdd the missing list head initializer.(CVE-2024-39464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: starfive - Do not free stack buffer\r\n\r\nRSA text data uses variable length buffer allocated in software stack.\nCalling kfree on it causes undefined behaviour in subsequent operations.(CVE-2024-39478)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/i915/hwmon: Get rid of devm\r\n\r\nWhen both hwmon and hwmon drvdata (on which hwmon depends) are device\nmanaged resources, the expectation, on device unbind, is that hwmon will be\nreleased before drvdata. However, in i915 there are two separate code\npaths, which both release either drvdata or hwmon and either can be\nreleased before the other. These code paths (for device unbind) are as\nfollows (see also the bug referenced below):\r\n\r\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_group+0xb2/0x110\ncomponent_unbind_all+0x8d/0xa0\ncomponent_del+0xa5/0x140\nintel_pxp_tee_component_fini+0x29/0x40 [i915]\nintel_pxp_fini+0x33/0x80 [i915]\ni915_driver_remove+0x4c/0x120 [i915]\ni915_pci_remove+0x19/0x30 [i915]\npci_device_remove+0x32/0xa0\ndevice_release_driver_internal+0x19c/0x200\nunbind_store+0x9c/0xb0\r\n\r\nand\r\n\r\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_all+0x8a/0xc0\ndevice_unbind_cleanup+0x9/0x70\ndevice_release_driver_internal+0x1c1/0x200\nunbind_store+0x9c/0xb0\r\n\r\nThis means that in i915, if use devm, we cannot gurantee that hwmon will\nalways be released before drvdata. Which means that we have a uaf if hwmon\nsysfs is accessed when drvdata has been released but hwmon hasn't.\r\n\r\nThe only way out of this seems to be do get rid of devm_ and release/free\neverything explicitly during device unbind.\r\n\r\nv2: Change commit message and other minor code changes\nv3: Cleanup from i915_hwmon_register on error (Armin Wolf)\nv4: Eliminate potential static analyzer warning (Rodrigo)\n    Eliminate fetch_and_zero (Jani)\nv5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)(CVE-2024-39479)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkdb: Fix buffer overflow during tab-complete\r\n\r\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\r\n\r\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\r\n\r\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\r\n\r\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\r\n\r\nFix it by adding a check of string length before using it.(CVE-2024-39487)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\r\n\r\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\r\n\r\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tsigned int      file_disp;\t// 4 bytes\n\t\tunsigned short  line;\t\t// 2 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t}\r\n\r\n... with 12 bytes total, requiring 4-byte alignment.\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\r\n\r\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\r\n\r\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\r\n\r\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\r\n\r\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\r\n\r\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\r\n\r\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\r\n\r\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\r\n\r\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\r\n\r\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\r\n\r\nConsequently module_find_bug() will miss the last bug_entry when it does:\r\n\r\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\r\n\r\n... which can lead to a kenrel panic due to an unhandled bug.\r\n\r\nThis can be demonstrated with the following module:\r\n\r\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\r\n\r\n\tstatic void __exit bugexit(void)\n\t{\n\t}\r\n\r\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\r\n\r\n... which will trigger a kernel panic when loaded:\r\n\r\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G           O       6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix memleak in seg6_hmac_init_algo\r\n\r\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\r\n\r\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsock_map: avoid race between sock_map_close and sk_psock_put\r\n\r\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\r\n\r\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\r\n\r\nThat will trigger the WARN_ON_ONCE:\r\n\r\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS:  000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\r\n\r\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\r\n\r\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\r\n\r\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.(CVE-2024-39500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nionic: fix use after netif_napi_del()\r\n\r\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\r\n\r\nReproducer:\n   ethtool -L <interface name> rx 1 tx 1 combined 0\n   ethtool -L <interface name> rx 0 tx 0 combined 1\n   ethtool -L <interface name> rx 0 tx 0 combined 4\r\n\r\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS:  0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30(CVE-2024-39502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fix possible race in __fib6_drop_pcpu_from()\r\n\r\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\r\n\r\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\r\n\r\nAdd a READ_ONCE() to prevent this race.\r\n\r\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\r\n\r\n[1]\r\n\r\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS:  0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n  fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n  fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n  fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n  fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n  fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n  fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n  fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n  fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n  __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n  rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n  rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n  addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n  addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n  notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n  call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n  call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n  call_netdevice_notifiers net/core/dev.c:2044 [inline]\n  dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n  unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n  unregister_netdevice_many net/core/dev.c:11276 [inline]\n  default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n  ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n  cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n  process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n  process_scheduled_works kernel/workqueue.c:3312 [inline]\n  worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n  kthread+0x2c1/0x3a0 kernel/kthread.c:389\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244(CVE-2024-40905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure snd_una is properly initialized on connect\r\n\r\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\r\n\r\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.(CVE-2024-40931)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\r\n\r\nFix a memory leak on logi_dj_recv_send_report() error path.(CVE-2024-40934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()\r\n\r\nThe cs35l41_hda_unbind() function clears the hda_component entry\nmatching it's index and then dereferences the codec pointer held in the\nfirst element of the hda_component array, this is an issue when the\ndevice index was 0.\r\n\r\nInstead use the codec pointer stashed in the cs35l41_hda structure as it\nwill still be valid.(CVE-2024-40964)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: remove clear SB_INLINECRYPT flag in default_options\r\n\r\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\r\n\r\nThread A:                               Thread B:\r\n\r\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n  -default_options\n\t<- clear SB_INLINECRYPT flag\r\n\r\n                                          -fscrypt_select_encryption_impl\r\n\r\n  -parse_options\n\t<- set SB_INLINECRYPT again(CVE-2024-40971)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\r\n\r\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\r\n\r\n[ rjw: Subject and changelog edits ](CVE-2024-40997)",
+    "cves": [
+      {
+        "id": "CVE-2024-40997",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40997",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1252": {
+    "id": "openEuler-SA-2021-1252",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1252",
+    "title": "An update for sqlite is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day. It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in SQLite s SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.(CVE-2021-20227)",
+    "cves": [
+      {
+        "id": "CVE-2021-20227",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20227",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1901": {
+    "id": "openEuler-SA-2022-1901",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1901",
+    "title": "An update for pacemaker is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Pacemaker is an advanced, scalable High-Availability cluster resource manager.\r\n\r\nSecurity Fix(es):\r\n\r\nAn ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.(CVE-2020-25654)",
+    "cves": [
+      {
+        "id": "CVE-2020-25654",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25654",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1655": {
+    "id": "openEuler-SA-2023-1655",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1655",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nhw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.(CVE-2020-13791)\r\n\r\nAn issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS).(CVE-2020-24165)",
+    "cves": [
+      {
+        "id": "CVE-2020-24165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24165",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1555": {
+    "id": "openEuler-SA-2022-1555",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1555",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nUse of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.(CVE-2022-0554)\r\n\r\nOut-of-bounds Read in vim/vim prior to 8.2.(CVE-2022-0319)\r\n\r\nStack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0629)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-0572)",
+    "cves": [
+      {
+        "id": "CVE-2022-0572",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1999": {
+    "id": "openEuler-SA-2022-1999",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1999",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing.It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0579.(CVE-2022-3297)\r\n\r\nStack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.(CVE-2022-3324)",
+    "cves": [
+      {
+        "id": "CVE-2022-3324",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3324",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1526": {
+    "id": "openEuler-SA-2023-1526",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1526",
+    "title": "An update for krb5 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.(CVE-2023-36054)",
+    "cves": [
+      {
+        "id": "CVE-2023-36054",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1387": {
+    "id": "openEuler-SA-2021-1387",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1387",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.(CVE-2021-39275)",
+    "cves": [
+      {
+        "id": "CVE-2021-39275",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39275",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2147": {
+    "id": "openEuler-SA-2022-2147",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2147",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel(CVE-2022-20566)\n\nAn issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.(CVE-2022-3107)\n\nGuests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.(CVE-2022-3643)\n\nAn incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.(CVE-2022-3903)\n\nGuests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42329)",
+    "cves": [
+      {
+        "id": "CVE-2022-42328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42328",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1695": {
+    "id": "openEuler-SA-2022-1695",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1695",
+    "title": "An update for libtpms is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A library providing TPM functionality for VMs. Targeted for integration into Qemu.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the libtpms code that may cause access beyond the boundary of internal buffers. The vulnerability is triggered by specially-crafted TPM2 command packets that then trigger the issue when the state of the TPM2's volatile state is written. The highest threat from this vulnerability is to system availability. This issue affects libtpms versions before 0.8.5, before 0.7.9 and before 0.6.6.(CVE-2021-3746)\r\n\r\nA flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.(CVE-2021-3623)",
+    "cves": [
+      {
+        "id": "CVE-2021-3623",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3623",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1073": {
+    "id": "openEuler-SA-2024-1073",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1073",
+    "title": "An update for tidy is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "When editing HTML it's easy to make mistakes. Wouldn't it be nice if there was a simple way to fix these mistakes automatically and tidy up sloppy editing into nicely laid out markup? Well now there is! Dave Raggett's HTML TIDY is a free utility for doing just that. It also works great on the atrociously hard to read markup generated by specialized HTML editors and conversion tools, and can help you identify where you need to pay further attention on making your pages more accessible to people with disabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c.(CVE-2021-33391)",
+    "cves": [
+      {
+        "id": "CVE-2021-33391",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33391",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1814": {
+    "id": "openEuler-SA-2024-1814",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1814",
+    "title": "An update for nasm is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "NASM is the Netwide Assembler, a free portable assembler for the Intel 80x86 microprocessor series, using primarily the traditional Intel instruction mnemonics and syntax. It also provides tools in RDOFF binary format, includes linker, library manager, loader, and information dump.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.(CVE-2020-21685)\r\n\r\nA stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file.(CVE-2020-21686)\r\n\r\nBuffer Overflow vulnerability in scan function in stdscan.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.(CVE-2020-21687)",
+    "cves": [
+      {
+        "id": "CVE-2020-21687",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21687",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1561": {
+    "id": "openEuler-SA-2024-1561",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1561",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\r\n\r\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\r\n\r\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\r\n\r\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\r\n\r\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.(CVE-2023-6129)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: RAPID).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20960)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20961)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20964)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20965)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20967)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20969)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20970)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20971)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20973)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20974)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20978)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20981)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20984)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20985)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20993)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20994)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20998)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).(CVE-2024-21000)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21009)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21013)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21047)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21055)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21060)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21061)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21062)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21069)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2024-21096)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21102)",
+    "cves": [
+      {
+        "id": "CVE-2024-21102",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21102",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1248": {
+    "id": "openEuler-SA-2021-1248",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1248",
+    "title": "An update for rubygem-actionpack is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nThe actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.(CVE-2021-22904)",
+    "cves": [
+      {
+        "id": "CVE-2021-22904",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22904",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1495": {
+    "id": "openEuler-SA-2022-1495",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1495",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.(CVE-2021-4203)\r\n\r\nIn gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150694665References: Upstream kernel.(CVE-2021-39633)\r\n\r\nAn unprivileged write to the file handler flaw in the Linux kernel s control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.(CVE-2021-4197)\r\n\r\nA use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.(CVE-2021-4202)",
+    "cves": [
+      {
+        "id": "CVE-2021-4202",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4202",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1046": {
+    "id": "openEuler-SA-2024-1046",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1046",
+    "title": "An update for python-pycryptodome is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "PyCryptodome is a self-contained Python package of low-level cryptographic primitives. It supports Python 2.6 and 2.7, Python 3.4 and newer, and PyPy. You can install it with::     pip install pycryptodome All modules are installed under the ``Crypto`` package. Check the pycryptodomex_ project for the equivalent library that works under the ``Cryptodome`` package. PyCryptodome is a fork of PyCrypto. It brings several enhancements with respect to the last official version of PyCrypto (2.6.1), for instance: * Authenticated encryption modes (GCM, CCM, EAX, SIV, OCB) * Accelerated AES on Intel platforms via AES-NI * First class support for PyPy * Elliptic curves cryptography (NIST P-256, P-384 and P-521 curves only) * Better and more compact API (`nonce` and `iv` attributes for ciphers,   automatic generation of random nonces and IVs, simplified CTR cipher mode,   and more) * SHA-3 (including SHAKE XOFs) and BLAKE2 hash algorithms * Salsa20 and ChaCha20 stream ciphers * scrypt and HKDF * Deterministic (EC)DSA * Password-protected PKCS#8 key containers * Shamir's Secret Sharing scheme * Random numbers get sourced directly from the OS (and not from a CSPRNG in userspace) * Simplified install process, including better support for Windows * Cleaner RSA and DSA key generation (largely based on FIPS 186-4) * Major clean ups and simplification of the code base PyCryptodome is not a wrapper to a separate C library like *OpenSSL*. To the largest possible extent, algorithms are implemented in pure Python. Only the pieces that are extremely critical to performance (e.g. block ciphers) are implemented as C extensions. For more information, see the `homepage`_. All the code can be downloaded from `GitHub`_.\r\n\r\nSecurity Fix(es):\r\n\r\nPyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.(CVE-2023-52323)",
+    "cves": [
+      {
+        "id": "CVE-2023-52323",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52323",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1075": {
+    "id": "openEuler-SA-2023-1075",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1075",
+    "title": "An update for lxc is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nlxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because \"Failed to open\" often indicates that a file does not exist, whereas \"does not refer to a network namespace path\" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that \"we will report back to the user that the open() failed but the user has no way of knowing why it failed\"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.(CVE-2022-47952)",
+    "cves": [
+      {
+        "id": "CVE-2022-47952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47952",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1709": {
+    "id": "openEuler-SA-2024-1709",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1709",
+    "title": "An update for rubygem-actionpack is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.(CVE-2024-28103)",
+    "cves": [
+      {
+        "id": "CVE-2024-28103",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28103",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1736": {
+    "id": "openEuler-SA-2024-1736",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1736",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: aardvark: Fix kernel panic during PIO transfer\r\n\r\nTrying to start a new PIO transfer by writing value 0 in PIO_START register\nwhen previous transfer has not yet completed (which is indicated by value 1\nin PIO_START) causes an External Abort on CPU, which results in kernel\npanic:\r\n\r\n    SError Interrupt on CPU0, code 0xbf000002 -- SError\n    Kernel panic - not syncing: Asynchronous SError Interrupt\r\n\r\nTo prevent kernel panic, it is required to reject a new PIO transfer when\nprevious one has not finished yet.\r\n\r\nIf previous PIO transfer is not finished yet, the kernel may issue a new\nPIO request only if the previous PIO transfer timed out.\r\n\r\nIn the past the root cause of this issue was incorrectly identified (as it\noften happens during link retraining or after link down event) and special\nhack was implemented in Trusted Firmware to catch all SError events in EL3,\nto ignore errors with code 0xbf000002 and not forwarding any other errors\nto kernel and instead throw panic from EL3 Trusted Firmware handler.\r\n\r\nLinks to discussion and patches about this issue:\nhttps://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50\nhttps://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/\nhttps://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/\nhttps://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541\r\n\r\nBut the real cause was the fact that during link retraining or after link\ndown event the PIO transfer may take longer time, up to the 1.44s until it\ntimes out. This increased probability that a new PIO transfer would be\nissued by kernel while previous one has not finished yet.\r\n\r\nAfter applying this change into the kernel, it is possible to revert the\nmentioned TF-A hack and SError events do not have to be caught in TF-A EL3.(CVE-2021-47229)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()\r\n\r\nUse clk_disable_unprepare() in the error path of mtk_phy_init() to fix\nsome resource leaks.(CVE-2021-47234)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rds: fix memory leak in rds_recvmsg\r\n\r\nSyzbot reported memory leak in rds. The problem\nwas in unputted refcount in case of error.\r\n\r\nint rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,\n\t\tint msg_flags)\n{\n...\r\n\r\n\tif (!rds_next_incoming(rs, &inc)) {\n\t\t...\n\t}\r\n\r\nAfter this \"if\" inc refcount incremented and\r\n\r\n\tif (rds_cmsg_recv(inc, msg, rs)) {\n\t\tret = -EFAULT;\n\t\tgoto out;\n\t}\n...\nout:\n\treturn ret;\n}\r\n\r\nin case of rds_cmsg_recv() fail the refcount won't be\ndecremented. And it's easy to see from ftrace log, that\nrds_inc_addref() don't have rds_inc_put() pair in\nrds_recvmsg() after rds_cmsg_recv()\r\n\r\n 1)               |  rds_recvmsg() {\n 1)   3.721 us    |    rds_inc_addref();\n 1)   3.853 us    |    rds_message_inc_copy_to_user();\n 1) + 10.395 us   |    rds_cmsg_recv();\n 1) + 34.260 us   |  }(CVE-2021-47249)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ieee802154: fix null deref in parse dev addr\r\n\r\nFix a logic error that could result in a null deref if the user sets\nthe mode incorrectly for the given addr type.(CVE-2021-47257)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: fix various gadget panics on 10gbps cabling\r\n\r\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n  high-speed (USB2.0 - 480Mbps),\n  super-speed (USB3.0 - 5Gbps),\n  super-speed-plus (USB3.1 - 10Gbps).\r\n\r\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\r\n\r\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\r\n\r\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\r\n\r\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way).(CVE-2021-47267)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: seq: Fix race of snd_seq_timer_open()\r\n\r\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses.  It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily.  This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\r\n\r\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered.(CVE-2021-47281)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nigb: Fix use-after-free error during reset\r\n\r\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\r\n\r\nFailure to do so can cause invalid memory accesses. If igb_poll() runs\nwhile the controller is reset this can lead to the driver try to free\na skb that was already freed.\r\n\r\n(The crash is harder to reproduce with the igb driver, but the same\npotential problem exists as the code is identical to igc)(CVE-2021-47301)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ti: fix UAF in tlan_remove_one\r\n\r\npriv is netdev private data and it cannot be\nused after free_netdev() call. Using priv after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.(CVE-2021-47310)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: Fix possible use-after-free by calling del_timer_sync()\r\n\r\nThis driver's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47321)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmisc/libmasm/module: Fix two use after free in ibmasm_init_one\r\n\r\nIn ibmasm_init_one, it calls ibmasm_init_remote_input_dev().\nInside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are\nallocated by input_allocate_device(), and assigned to\nsp->remote.mouse_dev and sp->remote.keybd_dev respectively.\r\n\r\nIn the err_free_devices error branch of ibmasm_init_one,\nmouse_dev and keybd_dev are freed by input_free_device(), and return\nerror. Then the execution runs into error_send_message error branch\nof ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called\nto unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.\r\n\r\nMy patch add a \"error_init_remote\" label to handle the error of\nibmasm_init_remote_input_dev(), to avoid the uaf bugs.(CVE-2021-47334)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: zr364xx: fix memory leak in zr364xx_start_readpipe\r\n\r\nsyzbot reported memory leak in zr364xx driver.\nThe problem was in non-freed urb in case of\nusb_submit_urb() fail.\r\n\r\nbacktrace:\n  [<ffffffff82baedf6>] kmalloc include/linux/slab.h:561 [inline]\n  [<ffffffff82baedf6>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74\n  [<ffffffff82f7cce8>] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022\n  [<ffffffff84251dfc>] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline]\n  [<ffffffff84251dfc>] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516\n  [<ffffffff82bb6507>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n  [<ffffffff826018a9>] really_probe+0x159/0x500 drivers/base/dd.c:576(CVE-2021-47344)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/sched: Avoid data corruptions\r\n\r\nWait for all dependencies of a job  to complete before\nkilling it to avoid data corruptions.(CVE-2021-47354)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: macb: fix use after free on rmmod\r\n\r\nplat_dev->dev->platform_data is released by platform_device_unregister(),\nuse of pclk and hclk is a use-after-free. Since device unregister won't\nneed a clk device we adjust the function call sequence to fix this issue.\r\n\r\n[   31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]\n[   31.275563] Freed by task 306:\n[   30.276782]  platform_device_release+0x25/0x80(CVE-2021-47372)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: acpi: fix resource leak in reconfiguration device addition\r\n\r\nacpi_i2c_find_adapter_by_handle() calls bus_find_device() which takes a\nreference on the adapter which is never released which will result in a\nreference count leak and render the adapter unremovable.  Make sure to\nput the adapter after creating the client in the same manner that we do\nfor OF.\r\n\r\n[wsa: fixed title](CVE-2021-47425)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: encx24j600: check error in devm_regmap_init_encx24j600\r\n\r\ndevm_regmap_init may return error which caused by like out of memory,\nthis will results in null pointer dereference later when reading\nor writing register:\r\n\r\ngeneral protection fault in encx24j600_spi_probe\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 286 Comm: spi-encx24j600- Not tainted 5.15.0-rc2-00142-g9978db750e31-dirty #11 9c53a778c1306b1b02359f3c2bbedc0222cba652\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:regcache_cache_bypass drivers/base/regmap/regcache.c:540\nCode: 54 41 89 f4 55 53 48 89 fb 48 83 ec 08 e8 26 94 a8 fe 48 8d bb a0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 03 00 00 4c 8d ab b0 00 00 00 48 8b ab a0 00\nRSP: 0018:ffffc900010476b8 EFLAGS: 00010207\nRAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: 0000000000000000\nRDX: 0000000000000012 RSI: ffff888002de0000 RDI: 0000000000000094\nRBP: ffff888013c9a000 R08: 0000000000000000 R09: fffffbfff3f9cc6a\nR10: ffffc900010476e8 R11: fffffbfff3f9cc69 R12: 0000000000000001\nR13: 000000000000000a R14: ffff888013c9af54 R15: ffff888013c9ad08\nFS:  00007ffa984ab580(0000) GS:ffff88801fe00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055a6384136c8 CR3: 000000003bbe6003 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n encx24j600_spi_probe drivers/net/ethernet/microchip/encx24j600.c:459\n spi_probe drivers/spi/spi.c:397\n really_probe drivers/base/dd.c:517\n __driver_probe_device drivers/base/dd.c:751\n driver_probe_device drivers/base/dd.c:782\n __device_attach_driver drivers/base/dd.c:899\n bus_for_each_drv drivers/base/bus.c:427\n __device_attach drivers/base/dd.c:971\n bus_probe_device drivers/base/bus.c:487\n device_add drivers/base/core.c:3364\n __spi_add_device drivers/spi/spi.c:599\n spi_add_device drivers/spi/spi.c:641\n spi_new_device drivers/spi/spi.c:717\n new_device_store+0x18c/0x1f1 [spi_stub 4e02719357f1ff33f5a43d00630982840568e85e]\n dev_attr_store drivers/base/core.c:2074\n sysfs_kf_write fs/sysfs/file.c:139\n kernfs_fop_write_iter fs/kernfs/file.c:300\n new_sync_write fs/read_write.c:508 (discriminator 4)\n vfs_write fs/read_write.c:594\n ksys_write fs/read_write.c:648\n do_syscall_64 arch/x86/entry/common.c:50\n entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:113\r\n\r\nAdd error check in devm_regmap_init_encx24j600 to avoid this situation.(CVE-2021-47440)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: peak_pci: peak_pci_remove(): fix UAF\r\n\r\nWhen remove the module peek_pci, referencing 'chan' again after\nreleasing 'dev' will cause UAF.\r\n\r\nFix this by releasing 'dev' later.\r\n\r\nThe following log reveals it:\r\n\r\n[   35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537\n[   35.965513 ] Call Trace:\n[   35.965718 ]  dump_stack_lvl+0xa8/0xd1\n[   35.966028 ]  print_address_description+0x87/0x3b0\n[   35.966420 ]  kasan_report+0x172/0x1c0\n[   35.966725 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.967137 ]  ? trace_irq_enable_rcuidle+0x10/0x170\n[   35.967529 ]  ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.967945 ]  __asan_report_load8_noabort+0x14/0x20\n[   35.968346 ]  peak_pci_remove+0x16f/0x270 [peak_pci]\n[   35.968752 ]  pci_device_remove+0xa9/0x250(CVE-2021-47456)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nisdn: mISDN: Fix sleeping function called from invalid context\r\n\r\nThe driver can call card->isac.release() function from an atomic\ncontext.\r\n\r\nFix this by calling this function after releasing the lock.\r\n\r\nThe following log reveals it:\r\n\r\n[   44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018\n[   44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe\n[   44.169574 ] INFO: lockdep is turned off.\n[   44.169899 ] irq event stamp: 0\n[   44.170160 ] hardirqs last  enabled at (0): [<0000000000000000>] 0x0\n[   44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00\n[   44.171240 ] softirqs last  enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00\n[   44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0\n[   44.172318 ] Preemption disabled at:\n[   44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet]\n[   44.174441 ] Call Trace:\n[   44.174630 ]  dump_stack_lvl+0xa8/0xd1\n[   44.174912 ]  dump_stack+0x15/0x17\n[   44.175166 ]  ___might_sleep+0x3a2/0x510\n[   44.175459 ]  ? nj_release+0x69/0x500 [netjet]\n[   44.175791 ]  __might_sleep+0x82/0xe0\n[   44.176063 ]  ? start_flush_work+0x20/0x7b0\n[   44.176375 ]  start_flush_work+0x33/0x7b0\n[   44.176672 ]  ? trace_irq_enable_rcuidle+0x85/0x170\n[   44.177034 ]  ? kasan_quarantine_put+0xaa/0x1f0\n[   44.177372 ]  ? kasan_quarantine_put+0xaa/0x1f0\n[   44.177711 ]  __flush_work+0x11a/0x1a0\n[   44.177991 ]  ? flush_work+0x20/0x20\n[   44.178257 ]  ? lock_release+0x13c/0x8f0\n[   44.178550 ]  ? __kasan_check_write+0x14/0x20\n[   44.178872 ]  ? do_raw_spin_lock+0x148/0x360\n[   44.179187 ]  ? read_lock_is_recursive+0x20/0x20\n[   44.179530 ]  ? __kasan_check_read+0x11/0x20\n[   44.179846 ]  ? do_raw_spin_unlock+0x55/0x900\n[   44.180168 ]  ? ____kasan_slab_free+0x116/0x140\n[   44.180505 ]  ? _raw_spin_unlock_irqrestore+0x41/0x60\n[   44.180878 ]  ? skb_queue_purge+0x1a3/0x1c0\n[   44.181189 ]  ? kfree+0x13e/0x290\n[   44.181438 ]  flush_work+0x17/0x20\n[   44.181695 ]  mISDN_freedchannel+0xe8/0x100\n[   44.182006 ]  isac_release+0x210/0x260 [mISDNipac]\n[   44.182366 ]  nj_release+0xf6/0x500 [netjet]\n[   44.182685 ]  nj_remove+0x48/0x70 [netjet]\n[   44.182989 ]  pci_device_remove+0xa9/0x250(CVE-2021-47468)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: vmk80xx: fix bulk-buffer overflow\r\n\r\nThe driver is using endpoint-sized buffers but must not assume that the\ntx and rx buffers are of equal size or a malicious device could overflow\nthe slab-allocated receive buffer when doing bulk transfers.(CVE-2021-47474)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: batman-adv: fix error handling\r\n\r\nSyzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was\nin wrong error handling in batadv_mesh_init().\r\n\r\nBefore this patch batadv_mesh_init() was calling batadv_mesh_free() in case\nof any batadv_*_init() calls failure. This approach may work well, when\nthere is some kind of indicator, which can tell which parts of batadv are\ninitialized; but there isn't any.\r\n\r\nAll written above lead to cleaning up uninitialized fields. Even if we hide\nODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit\nGPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]\r\n\r\nTo fix these bugs we can unwind batadv_*_init() calls one by one.\nIt is good approach for 2 reasons: 1) It fixes bugs on error handling\npath 2) It improves the performance, since we won't call unneeded\nbatadv_*_free() functions.\r\n\r\nSo, this patch makes all batadv_*_init() clean up all allocated memory\nbefore returning with an error to no call correspoing batadv_*_free()\nand open-codes batadv_mesh_free() with proper order to avoid touching\nuninitialized fields.(CVE-2021-47482)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nregmap: Fix possible double-free in regcache_rbtree_exit()\r\n\r\nIn regcache_rbtree_insert_to_block(), when 'present' realloc failed,\nthe 'blk' which is supposed to assign to 'rbnode->block' will be freed,\nso 'rbnode->block' points a freed memory, in the error handling path of\nregcache_rbtree_init(), 'rbnode->block' will be freed again in\nregcache_rbtree_exit(), KASAN will report double-free as follows:\r\n\r\nBUG: KASAN: double-free or invalid-free in kfree+0xce/0x390\nCall Trace:\n slab_free_freelist_hook+0x10d/0x240\n kfree+0xce/0x390\n regcache_rbtree_exit+0x15d/0x1a0\n regcache_rbtree_init+0x224/0x2c0\n regcache_init+0x88d/0x1310\n __regmap_init+0x3151/0x4a80\n __devm_regmap_init+0x7d/0x100\n madera_spi_probe+0x10f/0x333 [madera_spi]\n spi_probe+0x183/0x210\n really_probe+0x285/0xc30\r\n\r\nTo fix this, moving up the assignment of rbnode->block to immediately after\nthe reallocation has succeeded so that the data structure stays valid even\nif the second reallocation fails.(CVE-2021-47483)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields\r\n\r\nOverflowing either addrlimit or bytes_togo can allow userspace to trigger\na buffer overflow of kernel memory. Check for overflows in all the places\ndoing math on user controlled buffers.(CVE-2021-47485)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/tls: Fix flipped sign in tls_err_abort() calls\r\n\r\nsk->sk_err appears to expect a positive value, a convention that ktls\ndoesn't always follow and that leads to memory corruption in other code.\nFor instance,\r\n\r\n    [kworker]\n    tls_encrypt_done(..., err=<negative error from crypto request>)\n      tls_err_abort(.., err)\n        sk->sk_err = err;\r\n\r\n    [task]\n    splice_from_pipe_feed\n      ...\n        tls_sw_do_sendpage\n          if (sk->sk_err) {\n            ret = -sk->sk_err;  // ret is positive\r\n\r\n    splice_from_pipe_feed (continued)\n      ret = actor(...)  // ret is still positive and interpreted as bytes\n                        // written, resulting in underflow of buf->len and\n                        // sd->len, leading to huge buf->offset and bogus\n                        // addresses computed in later calls to actor()\r\n\r\nFix all tls_err_abort() callers to pass a negative error code\nconsistently and centralize the error-prone sign flip there, throwing in\na warning to catch future misuse and uninlining the function so it\nreally does only warn once.(CVE-2021-47496)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: pcm: oss: Limit the period size to 16MB\r\n\r\nSet the practical limit to the period size (the fragment shift in OSS)\ninstead of a full 31bit; a too large value could lead to the exhaust\nof memory as we allocate temporary buffers of the period size, too.\r\n\r\nAs of this patch, we set to 16MB limit, which should cover all use\ncases.(CVE-2021-47509)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfp: Fix memory leak in nfp_cpp_area_cache_add()\r\n\r\nIn line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a\nCPP area structure. But in line 807 (#2), when the cache is allocated\nfailed, this CPP area structure is not freed, which will result in\nmemory leak.\r\n\r\nWe can fix it by freeing the CPP area when the cache is allocated\nfailed (#2).\r\n\r\n792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size)\n793 {\n794 \tstruct nfp_cpp_area_cache *cache;\n795 \tstruct nfp_cpp_area *area;\r\n\r\n800\tarea = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0),\n801 \t\t\t\t  0, size);\n\t// #1: allocates and initializes\r\n\r\n802 \tif (!area)\n803 \t\treturn -ENOMEM;\r\n\r\n805 \tcache = kzalloc(sizeof(*cache), GFP_KERNEL);\n806 \tif (!cache)\n807 \t\treturn -ENOMEM; // #2: missing free\r\n\r\n817\treturn 0;\n818 }(CVE-2021-47516)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nstaging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()\r\n\r\nThe free_rtllib() function frees the \"dev\" pointer so there is use\nafter free on the next line.  Re-arrange things to avoid that.(CVE-2021-47571)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\r\n\r\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\r\n\r\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path(CVE-2022-48693)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\r\n\r\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\r\n\r\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.(CVE-2023-52708)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: USB: Fix wrong-direction WARNING in plusb.c\r\n\r\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite.  In modern kernels this error provokes a WARNING:\r\n\r\nusb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n <TASK>\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.(CVE-2023-52742)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Restore allocated resources on failed copyout\r\n\r\nFix a resource leak if an error occurs.(CVE-2023-52747)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: gspca: cpia1: shift-out-of-bounds in set_flicker\r\n\r\nSyzkaller reported the following issue:\nUBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27\nshift exponent 245 is too large for 32-bit type 'int'\r\n\r\nWhen the value of the variable \"sd->params.exposure.gain\" exceeds the\nnumber of bits in an integer, a shift-out-of-bounds error is reported. It\nis triggered because the variable \"currentexp\" cannot be left-shifted by\nmore than the number of bits in an integer. In order to avoid invalid\nrange during left-shift, the conditional expression is added.(CVE-2023-52764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add check for negative db_l2nbperpage\r\n\r\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\r\n\r\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\r\n\r\nSyzbot reported this bug:\r\n\r\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative(CVE-2023-52810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nlocking/ww_mutex/test: Fix potential workqueue corruption\r\n\r\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\r\n\r\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\r\n\r\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\r\n\r\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\r\n\r\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\r\n\r\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.(CVE-2023-52836)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: verify mac len before reading mac header\r\n\r\nLLC reads the mac header with eth_hdr without verifying that the skb\nhas an Ethernet header.\r\n\r\nSyzbot was able to enter llc_rcv on a tun device. Tun can insert\npackets without mac len and with user configurable skb->protocol\n(passing a tun_pi header when not configuring IFF_NO_PI).\r\n\r\n    BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n    BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n    llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]\n    llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111\n    llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218\n    __netif_receive_skb_one_core net/core/dev.c:5523 [inline]\n    __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637\n    netif_receive_skb_internal net/core/dev.c:5723 [inline]\n    netif_receive_skb+0x58/0x660 net/core/dev.c:5782\n    tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n    tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002\r\n\r\nAdd a mac_len test before all three eth_hdr(skb) calls under net/llc.\r\n\r\nThere are further uses in include/net/llc_pdu.h. All these are\nprotected by a test skb->protocol == ETH_P_802_2. Which does not\nprotect against this tun scenario.\r\n\r\nBut the mac_len test added in this patch in llc_fixup_skb will\nindirectly protect those too. That is called from llc_rcv before any\nother LLC code.\r\n\r\nIt is tempting to just add a blanket mac_len check in llc_rcv, but\nnot sure whether that could break valid LLC paths that do not assume\nan Ethernet header. 802.2 LLC may be used on top of non-802.3\nprotocols in principle. The below referenced commit shows that used\nto, on top of Token Ring.\r\n\r\nAt least one of the three eth_hdr uses goes back to before the start\nof git history. But the one that syzbot exercises is introduced in\nthis commit. That commit is old enough (2008), that effectively all\nstable kernels should receive this.(CVE-2023-52843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\r\n\r\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\r\n\r\nRequire initial namespace CAP_NET_ADMIN to do that.(CVE-2023-52880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Prevent deadlock while disabling aRFS\r\n\r\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\r\n\r\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\r\n\r\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\r\n\r\nKernel log:\r\n\r\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G          I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\r\n\r\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n       __mutex_lock+0x80/0xc90\n       arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n       process_one_work+0x1dc/0x4a0\n       worker_thread+0x1bf/0x3c0\n       kthread+0xd7/0x100\n       ret_from_fork+0x2d/0x50\n       ret_from_fork_asm+0x11/0x20\r\n\r\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n       __lock_acquire+0x17b4/0x2c80\n       lock_acquire+0xd0/0x2b0\n       __flush_work+0x7a/0x4e0\n       __cancel_work_timer+0x131/0x1c0\n       arfs_del_rules+0x143/0x1e0 [mlx5_core]\n       mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n       mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n       ethnl_set_channels+0x28f/0x3b0\n       ethnl_default_set_doit+0xec/0x240\n       genl_family_rcv_msg_doit+0xd0/0x120\n       genl_rcv_msg+0x188/0x2c0\n       netlink_rcv_skb+0x54/0x100\n       genl_rcv+0x24/0x40\n       netlink_unicast+0x1a1/0x270\n       netlink_sendmsg+0x214/0x460\n       __sock_sendmsg+0x38/0x60\n       __sys_sendto+0x113/0x170\n       __x64_sys_sendto+0x20/0x30\n       do_syscall_64+0x40/0xe0\n       entry_SYSCALL_64_after_hwframe+0x46/0x4e\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n       CPU0                    CPU1\n       ----                    ----\n  lock(&priv->state_lock);\n                               lock((work_completion)(&rule->arfs_work));\n                               lock(&priv->state_lock);\n  lock((work_completion)(&rule->arfs_work));\r\n\r\n *** DEADLOCK ***\r\n\r\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G          I        6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---(CVE-2024-27014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\r\n\r\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.(CVE-2024-27019)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet/pep: fix racy skb_queue_empty() use\r\n\r\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.(CVE-2024-27402)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\r\n\r\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\r\n\r\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.(CVE-2024-35819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nubifs: Set page uptodate in the correct place\r\n\r\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data.  Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.(CVE-2024-35821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\r\n\r\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().(CVE-2024-35828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: properly terminate timers for kernel sockets\r\n\r\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\r\n\r\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\r\n\r\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\r\n\r\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\r\n\r\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\r\n\r\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\r\n\r\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\r\n\r\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\r\n\r\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\r\n\r\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.(CVE-2024-35910)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\r\n\r\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.(CVE-2024-35935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: check A-MSDU format more carefully\r\n\r\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.(CVE-2024-35937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndyndbg: fix old BUG_ON in >control parser\r\n\r\nFix a BUG_ON from 2009.  Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.(CVE-2024-35947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbatman-adv: Avoid infinite loop trying to resize local TT\r\n\r\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\r\n\r\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\r\n\r\n   batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\r\n\r\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\r\n\r\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\r\n\r\nWhile this should be handled proactively when:\r\n\r\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n  attached interfaces)\r\n\r\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.(CVE-2024-35982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\r\n\r\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n  Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n  Reason: Neither gsm->state nor gsm->len have been reset after\n  reconfiguration.\r\n\r\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\r\n\r\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.(CVE-2024-36016)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix UAF in error path\r\n\r\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\r\n\r\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\r\n\r\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n <IRQ>\n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---(CVE-2024-36886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: prevent NULL dereference in ip6_output()\r\n\r\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\r\n\r\nsyzbot reported:\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS:  00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n  sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n  sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n  sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n  sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n  sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n  sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n  sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n  __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\r\n\r\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\r\n\r\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\r\n\r\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\r\n\r\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\r\n\r\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\r\n\r\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\r\n\r\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\r\n\r\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001(CVE-2024-36905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\r\n\r\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\r\n\r\nThis will suppress following BUG_ON():\r\n\r\n[  449.843143] ------------[ cut here ]------------\n[  449.848302] kernel BUG at mm/vmalloc.c:2727!\n[  449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[  449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[  449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[  449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[  449.882910] RIP: 0010:vunmap+0x2e/0x30\n[  449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[  449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[  449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[  449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[  449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[  449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[  449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[  449.953701] FS:  0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[  449.962732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[  449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  449.993028] Call Trace:\n[  449.995756]  __iommu_dma_free+0x96/0x100\n[  450.000139]  bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[  450.006171]  bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[  450.011910]  bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[  450.018136]  fc_rport_work+0x103/0x5b0 [libfc]\n[  450.023103]  process_one_work+0x1e8/0x3c0\n[  450.027581]  worker_thread+0x50/0x3b0\n[  450.031669]  ? rescuer_thread+0x370/0x370\n[  450.036143]  kthread+0x149/0x170\n[  450.039744]  ? set_kthread_struct+0x40/0x40\n[  450.044411]  ret_from_fork+0x22/0x30\n[  450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[  450.048497]  libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[  450.159753] ---[ end trace 712de2c57c64abc8 ]---(CVE-2024-36919)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbna: ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a nbytes-sized kernel buffer and copy nbytes from\nuserspace to that buffer. Later, we use sscanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using sscanf. Fix this issue by using memdup_user_nul\ninstead of memdup_user.(CVE-2024-36934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\r\n\r\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric.  This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\r\n\r\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject.  This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\r\n\r\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vmwgfx: Fix invalid reads in fence signaled events\r\n\r\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\r\n\r\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.(CVE-2024-36960)",
+    "cves": [
+      {
+        "id": "CVE-2021-47229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47229",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2021-47234",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47234",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2021-47372",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47372",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-52742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52742",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36960",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36960",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1895": {
+    "id": "openEuler-SA-2022-1895",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1895",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the kernels implementation of proxied virtualized TPM devices.  On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f(CVE-2022-2977)\r\n\r\nThe linux kernels driver for the \"ASIX AX88179_178A based USB 2.0/3.0 Gigabit Ethernet Devices\" contains multiple out-of-bounds reads and possible writes in the ax88179_rx_fixup() function. \r\n\r\n\nReferences:\r\n\r\nhttps://www.spinics.net/lists/stable/msg536418.html\r\n\r\nUpstream commit:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581(CVE-2022-2964)\r\n\r\nA race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.(CVE-2022-3028)",
+    "cves": [
+      {
+        "id": "CVE-2022-3028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2011": {
+    "id": "openEuler-SA-2022-2011",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2011",
+    "title": "An update for protobuf is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.(CVE-2022-1941)\n\nA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171)",
+    "cves": [
+      {
+        "id": "CVE-2022-3171",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1631": {
+    "id": "openEuler-SA-2023-1631",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1631",
+    "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nA fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.(CVE-2023-20867)\r\n\r\nA malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-20900)",
+    "cves": [
+      {
+        "id": "CVE-2023-20900",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20900",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1629": {
+    "id": "openEuler-SA-2023-1629",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1629",
+    "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nA fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.(CVE-2023-20867)\r\n\r\nA malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-20900)",
+    "cves": [
+      {
+        "id": "CVE-2023-20900",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20900",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1002": {
+    "id": "openEuler-SA-2021-1002",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1002",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user (normal users and system users, sudoers and non-sudoers), without authentication (i.e., the attacker does not need to know the user's password). Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3156)\\r\\n\\r\\n\nThe sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.(CVE-2021-23239)\\r\\n\\r\\n\nselinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.(CVE-2021-23240)\\r\\n\\r\\n\n",
+    "cves": [
+      {
+        "id": "CVE-2021-23240",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23240",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1350": {
+    "id": "openEuler-SA-2023-1350",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1350",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151)\n\nA vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding.(CVE-2023-34153)",
+    "cves": [
+      {
+        "id": "CVE-2023-34153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34153",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1753": {
+    "id": "openEuler-SA-2024-1753",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1753",
+    "title": "An update for microcode_ctl is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nHardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.(CVE-2023-45733)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-45745)\r\n\r\nSequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-46103)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-47855)",
+    "cves": [
+      {
+        "id": "CVE-2023-47855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47855",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1125": {
+    "id": "openEuler-SA-2024-1125",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1125",
+    "title": "An update for ncurses is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "The ncurses (new curses) library is a free software emulation of  curses in System V Release 4.0 (SVr4), and more. It uses terminfo  format, supports pads and color and multiple highlights and forms  characters and function-key mapping, and has all the other SVr4-curses  enhancements over BSD curses. SVr4 curses became the basis of X/Open Curses.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GNU ncurses 6.4-20230610. It has been rated as problematic. This issue affects the function tgetstr. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.(CVE-2023-45918)",
+    "cves": [
+      {
+        "id": "CVE-2023-45918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1044": {
+    "id": "openEuler-SA-2024-1044",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1044",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004)\r\n\r\nA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918)",
+    "cves": [
+      {
+        "id": "CVE-2023-6918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1545": {
+    "id": "openEuler-SA-2024-1545",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1545",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.(CVE-2024-27282)",
+    "cves": [
+      {
+        "id": "CVE-2024-27282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1651": {
+    "id": "openEuler-SA-2023-1651",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1651",
+    "title": "An update for batik is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38398)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38648)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-40146)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\r\n\r\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\r\n\r\n(CVE-2022-44729)\r\n\r\nServer-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\r\n\r\nA malicious SVG can probe user profile / data and send it directly as parameter to a URL.\r\n\r\n(CVE-2022-44730)",
+    "cves": [
+      {
+        "id": "CVE-2022-44730",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44730",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1451": {
+    "id": "openEuler-SA-2021-1451",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1451",
+    "title": "An update for exiv2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.(CVE-2019-13108)\r\n\r\nThere is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.(CVE-2019-13504)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-37616)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-37615)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. ### Patches The bug is fixed in version v0.27.5. ### References Regression test and bug fix: #1739 ### For more information Please see our [security policy](https://github.com/Exiv2/exiv2/security/policy) for information about Exiv2 security.(CVE-2021-32815)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.(CVE-2021-37623)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.(CVE-2021-37622)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.(CVE-2021-34334)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.(CVE-2021-37620)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.(CVE-2021-37621)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception (FPE) due to an integer divide by zero was found in Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). The bug is fixed in version v0.27.5.(CVE-2021-34335)\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.(CVE-2021-37618)\r\n\r\nA flaw was found in exiv2. A integer wraparound in the CrwMap:encode0x1810 function leads to memcpy call with a very large size allowing an attacker, who can provide a malicious image, to crash an application which uses the exiv2 library. The highest threat from this vulnerability is to service availability.(CVE-2021-31292)\n\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.5.(CVE-2021-37619)",
+    "cves": [
+      {
+        "id": "CVE-2021-37619",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37619",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1326": {
+    "id": "openEuler-SA-2021-1326",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1326",
+    "title": "An update for lynx is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Lynx is a fully-featured World Wide Web (WWW) client for users running cursor-addressable, character-cell display devices such as vt100 terminals, vt100 emulators running on Windows 95/NT or Macintoshes, or any other character-cell display.  It will display Hypertext Markup Language (HTML) documents containing links to files on the local system, as well as files on remote systems running http, gopher, ftp, wais, nntp, finger, or cso/ph/qi servers, and services accessible via logins to telnet, tn3270 or rlogin accounts.  Current versions of Lynx run on Unix, VMS, Windows95 through Windows 8, 386DOS and OS/2 EMX.\r\n\r\nSecurity Fix(es):\r\n\r\nLynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.(CVE-2021-38165)",
+    "cves": [
+      {
+        "id": "CVE-2021-38165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38165",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1769": {
+    "id": "openEuler-SA-2023-1769",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1769",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.(CVE-2023-45862)",
+    "cves": [
+      {
+        "id": "CVE-2023-45862",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45862",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1334": {
+    "id": "openEuler-SA-2023-1334",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1334",
+    "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.(CVE-2023-2953)",
+    "cves": [
+      {
+        "id": "CVE-2023-2953",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2953",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1815": {
+    "id": "openEuler-SA-2022-1815",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1815",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\n\nSecurity Fix(es):\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35603)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35578)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21426)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35556)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2022-21476)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35559)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).(CVE-2021-35567)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2021-35564)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35561)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21496)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21443)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21434)",
+    "cves": [
+      {
+        "id": "CVE-2022-21434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21434",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1166": {
+    "id": "openEuler-SA-2021-1166",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1166",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "%global desc \\ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\\ do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. %{desc} %global extdesc %{desc}\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.(CVE-2020-27223)\r\n\r\nIn Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.(CVE-2021-28165)",
+    "cves": [
+      {
+        "id": "CVE-2021-28165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1878": {
+    "id": "openEuler-SA-2024-1878",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1878",
+    "title": "An update for freeradius is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nRADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.(CVE-2024-3596)",
+    "cves": [
+      {
+        "id": "CVE-2024-3596",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3596",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2099": {
+    "id": "openEuler-SA-2022-2099",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2099",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system. \r\n\r\nSecurity Fix(es):\r\n\r\nAn off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.(CVE-2022-3821)",
+    "cves": [
+      {
+        "id": "CVE-2022-3821",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3821",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1223": {
+    "id": "openEuler-SA-2024-1223",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1223",
+    "title": "An update for shim is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+    "cves": [
+      {
+        "id": "CVE-2024-0727",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1354": {
+    "id": "openEuler-SA-2024-1354",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1354",
+    "title": "An update for telnet is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. The package includes a remote login client program for telnet and a server daemon.\r\n\r\nSecurity Fix(es):\r\n\r\ntelnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028)",
+    "cves": [
+      {
+        "id": "CVE-2022-39028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1281": {
+    "id": "openEuler-SA-2024-1281",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1281",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio: Fix use-after-free in uio_open\r\n\r\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\r\n\r\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\r\n\r\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.(CVE-2023-52439)\r\n\r\nA vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151)\r\n\r\nNULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\r\n\r\nThis issue affects Linux kernel: v2.6.12-rc2.\r\n\r\n(CVE-2024-22099)",
+    "cves": [
+      {
+        "id": "CVE-2024-22099",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1182": {
+    "id": "openEuler-SA-2024-1182",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1182",
+    "title": "An update for runc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue.(CVE-2024-21626)",
+    "cves": [
+      {
+        "id": "CVE-2024-21626",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1133": {
+    "id": "openEuler-SA-2024-1133",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1133",
+    "title": "An update for zeromq is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "ZeroMQ (also spelled ØMQ, 0MQ or ZMQ) is a high-performance asynchronous messaging library, aimed at use in distributed or concurrent applications. It provides a message queue, but unlike message-oriented middleware, a ZeroMQ system can run without a dedicated message broker. The library's API is designed to resemble Berkeley sockets.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.(CVE-2020-15166)",
+    "cves": [
+      {
+        "id": "CVE-2020-15166",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15166",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1590": {
+    "id": "openEuler-SA-2024-1590",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1590",
+    "title": "An update for sane-backends is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners and other image acquisition devices like digital still and video cameras.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Sane 1.2.1 allows a local attacker to execute arbitrary code via a crafted file to the sanei_configure_attach() function. NOTE: this is disputed because there is no expectation that the product should be starting with an attacker-controlled configuration file.(CVE-2023-46047)\r\n\r\nSane 1.2.1 heap bounds overwrite in init_options() from backend/test.c via a long init_mode string in a configuration file. NOTE: this is disputed because there is no expectation that test.c code should be executed with an attacker-controlled configuration file.(CVE-2023-46052)",
+    "cves": [
+      {
+        "id": "CVE-2023-46052",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46052",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1853": {
+    "id": "openEuler-SA-2024-1853",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1853",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\r\n\r\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\r\n\r\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\r\n\r\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
+    "cves": [
+      {
+        "id": "CVE-2024-38477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1674": {
+    "id": "openEuler-SA-2024-1674",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1674",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22;   Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2024-21011)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21068)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2024-21085)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21094)",
+    "cves": [
+      {
+        "id": "CVE-2024-21094",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21094",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1008": {
+    "id": "openEuler-SA-2024-1008",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1008",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)",
+    "cves": [
+      {
+        "id": "CVE-2023-6610",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1627": {
+    "id": "openEuler-SA-2024-1627",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1627",
+    "title": "An update for uriparser is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The package is a strictly RFC 3986 compliant URI parsing library written in C89(\"ANSI C\"). uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party wrappers. uriparser is packaged in major distributions.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string.(CVE-2024-34403)",
+    "cves": [
+      {
+        "id": "CVE-2024-34403",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34403",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1080": {
+    "id": "openEuler-SA-2023-1080",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1080",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.(CVE-2022-41717)",
+    "cves": [
+      {
+        "id": "CVE-2022-41717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1072": {
+    "id": "openEuler-SA-2024-1072",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1072",
+    "title": "An update for testng is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "TestNG is a testing framework inspired from JUnit and NUnit but introducing some new functionality that make it more powerful and easier to use, such as:   * Annotations.   * Run your tests in arbitrarily big thread pools with various policies     available (all methods in their own thread, one thread per test class, etc...).   * Test that your code is multithread safe.   * Flexible test configuration.   * Support for data-driven testing (with @DataProvider).   * Support for parameters.   * Powerful execution model (no more TestSuite).   * Supported by a variety of tools and plug-ins (Eclipse, IDEA, Maven, etc...).   * Embeds BeanShell for further flexibility.   * Default JDK functions for runtime and logging (no dependencies).   * Dependent methods for application server testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to address this issue. The patch is named 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-214027.(CVE-2022-4065)",
+    "cves": [
+      {
+        "id": "CVE-2022-4065",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4065",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1496": {
+    "id": "openEuler-SA-2023-1496",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1496",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.(CVE-2023-38427)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.(CVE-2023-38429)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.(CVE-2023-38430)\r\n\r\nA use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-4004)",
+    "cves": [
+      {
+        "id": "CVE-2023-4004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1267": {
+    "id": "openEuler-SA-2023-1267",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1267",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.(CVE-2023-1990)\r\n\r\nThe Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.(CVE-2023-30772)\n\nThe Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.(CVE-2023-1998)",
+    "cves": [
+      {
+        "id": "CVE-2023-1998",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1998",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1802": {
+    "id": "openEuler-SA-2024-1802",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1802",
+    "title": "An update for python-pip is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        23.3.1 Release:        1 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:          Source1:        pip.loongarch.conf BuildArch:      noarch Patch1:         remove-existing-dist-only-if-path-conflicts. Patch6000:      dummy-certifi.patch\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.(CVE-2024-3651)",
+    "cves": [
+      {
+        "id": "CVE-2024-3651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1641": {
+    "id": "openEuler-SA-2024-1641",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1641",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.(CVE-2024-34459)",
+    "cves": [
+      {
+        "id": "CVE-2024-34459",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1611": {
+    "id": "openEuler-SA-2023-1611",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1611",
+    "title": "An update for poppler is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\ Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\ the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.(CVE-2020-23804)\r\n\r\nIn Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.(CVE-2022-37050)\r\n\r\nAn issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.(CVE-2022-37051)\r\n\r\nA reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.(CVE-2022-37052)\r\n\r\nAn issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.(CVE-2022-38349)",
+    "cves": [
+      {
+        "id": "CVE-2022-38349",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38349",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1320": {
+    "id": "openEuler-SA-2023-1320",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1320",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices,and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\r\n\r\nSecurity Fix(es):\r\n\r\nVMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2856)",
+    "cves": [
+      {
+        "id": "CVE-2023-2856",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2856",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1099": {
+    "id": "openEuler-SA-2021-1099",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1099",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple.\r\n\r\nSecurity Fix(es):\r\n\r\nA Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.(CVE-2020-8277)",
+    "cves": [
+      {
+        "id": "CVE-2020-8277",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8277",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1171": {
+    "id": "openEuler-SA-2021-1171",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1171",
+    "title": "An update for resteasy is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "%global desc \\ RESTEasy contains a JBoss project that provides frameworks to help\\ build RESTful Web Services and RESTful Java applications. It is a fully\\ certified and portable implementation of the JAX-RS specification. %{desc} %global extdesc %{desc}\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-20289)",
+    "cves": [
+      {
+        "id": "CVE-2021-20289",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2088": {
+    "id": "openEuler-SA-2022-2088",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2088",
+    "title": "An update for usbguard is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "USBGuard helps to protect your computer against rogue USB devices.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.(CVE-2019-25058)",
+    "cves": [
+      {
+        "id": "CVE-2019-25058",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25058",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1621": {
+    "id": "openEuler-SA-2024-1621",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1621",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Harden accesses to the reset domains\r\n\r\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\r\n\r\nAdd an internal consistency check before any such domains descriptors\naccesses.(CVE-2022-48655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1>\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock/rnbd-srv: Check for unlikely string overflow\r\n\r\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\r\n\r\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                                                   ^~\nIn function 'rnbd_srv_get_full_path',\n    inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n  617 |                          dev_search_path, dev_name);\n      |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).(CVE-2023-52618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow timeout for anonymous sets\r\n\r\nNever used from userspace, disallow these parameters.(CVE-2023-52620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\r\n\r\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\r\n\r\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\r\n\r\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\r\n\r\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).(CVE-2023-52628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_limit: reject configurations that cause integer overflow\r\n\r\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\r\n\r\nIts better to reject this rather than having incorrect ratelimit.(CVE-2024-26668)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: flower: Fix chain template offload\r\n\r\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\r\n\r\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\r\n\r\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\r\n\r\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\r\n\r\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff  ..|......[......\n    01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff  ................\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab374e>] __kmalloc+0x4e/0x90\n    [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\n    [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0\n    [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0\n    [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00  @.......W.8.....\n    10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff  ..,m......,m....\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90\n    [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0\n    [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460\n    [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0\n    [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\r\n\r\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---(CVE-2024-26669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: Fix DMA mapping for PTP hwts ring\r\n\r\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\r\n\r\nTrace:\n[  215.351607] ------------[ cut here ]------------\n[  215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[  215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[  215.581176] Call Trace:\n[  215.583632]  <TASK>\n[  215.585745]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.590114]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.594497]  ? debug_dma_free_coherent+0x196/0x210\n[  215.599305]  ? check_unmap+0xa6f/0x2360\n[  215.603147]  ? __warn+0xca/0x1d0\n[  215.606391]  ? check_unmap+0xa6f/0x2360\n[  215.610237]  ? report_bug+0x1ef/0x370\n[  215.613921]  ? handle_bug+0x3c/0x70\n[  215.617423]  ? exc_invalid_op+0x14/0x50\n[  215.621269]  ? asm_exc_invalid_op+0x16/0x20\n[  215.625480]  ? check_unmap+0xa6f/0x2360\n[  215.629331]  ? mark_lock.part.0+0xca/0xa40\n[  215.633445]  debug_dma_free_coherent+0x196/0x210\n[  215.638079]  ? __pfx_debug_dma_free_coherent+0x10/0x10\n[  215.643242]  ? slab_free_freelist_hook+0x11d/0x1d0\n[  215.648060]  dma_free_attrs+0x6d/0x130\n[  215.651834]  aq_ring_free+0x193/0x290 [atlantic]\n[  215.656487]  aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[  216.127540] ---[ end trace 6467e5964dd2640b ]---\n[  216.132160] DMA-API: Mapped at:\n[  216.132162]  debug_dma_alloc_coherent+0x66/0x2f0\n[  216.132165]  dma_alloc_attrs+0xf5/0x1b0\n[  216.132168]  aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[  216.132193]  aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[  216.132213]  aq_nic_init+0x4a1/0x760 [atlantic](CVE-2024-26680)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\r\n\r\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\r\n\r\nE.g: Taking the following steps:\r\n\r\n     fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n     fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n     fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\r\n\r\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\r\n\r\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n         pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n         return -EINVAL;\n }\n return 0;\n ...\n ...\r\n\r\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\r\n\r\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\r\n\r\nCausing below Oops.\r\n\r\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\r\n\r\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel:  <TASK>\n kernel:  ? __die_body+0x1a/0x60\n kernel:  ? page_fault_oops+0x16f/0x4a0\n kernel:  ? search_bpf_extables+0x65/0x70\n kernel:  ? fixup_exception+0x22/0x310\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  ? asm_exc_page_fault+0x22/0x30\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel:  ? hugetlbfs_fill_super+0x28/0x1a0\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  vfs_get_super+0x40/0xa0\n kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel:  vfs_get_tree+0x25/0xd0\n kernel:  vfs_cmd_create+0x64/0xe0\n kernel:  __x64_sys_fsconfig+0x395/0x410\n kernel:  do_syscall_64+0x80/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---(CVE-2024-26688)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: prevent use-after-free in encode_cap_msg()\r\n\r\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\r\n\r\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\r\n\r\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.(CVE-2024-26689)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: dev-replace: properly validate device names\r\n\r\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\r\n\r\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\r\n\r\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).(CVE-2024-26791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix double free of anonymous device after snapshot creation failure\r\n\r\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\r\n\r\nThe steps that lead to this:\r\n\r\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n   and assign it to pending_snapshot->anon_dev;\r\n\r\n2) Then we call btrfs_commit_transaction() and end up at\n   transaction.c:create_pending_snapshot();\r\n\r\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n   number stored in pending_snapshot->anon_dev;\r\n\r\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n   btrfs_lookup_fs_root() returned a root - someone else did a lookup\n   of the new root already, which could some task doing backref walking;\r\n\r\n5) After that some error happens in the transaction commit path, and at\n   ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n   that we free again the same anonymous device number, which in the\n   meanwhile may have been reallocated somewhere else, because\n   pending_snapshot->anon_dev still has the same value as in step 1.\r\n\r\nRecently syzbot ran into this and reported the following trace:\r\n\r\n  ------------[ cut here ]------------\n  ida_free called for id=51 which is not allocated.\n  WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n  Modules linked in:\n  CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n  RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n  Code: 10 42 80 3c 28 (...)\n  RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n  RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n  RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n  RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n  R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n  R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n  FS:  00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n   create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n   create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n   btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n   create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n   btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n   btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n   __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n   btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n   btrfs_ioctl+0xa74/0xd40\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:871 [inline]\n   __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n   do_syscall_64+0xfb/0x240\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n  RIP: 0033:0x7fca3e67dda9\n  Code: 28 00 00 00 (...)\n  RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n  RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n   </TASK>\r\n\r\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---(CVE-2024-26792)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate payload size in ipc response\r\n\r\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.(CVE-2024-26811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Create persistent INTx handler\r\n\r\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\r\n\r\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\r\n\r\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.(CVE-2024-26812)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: fix underflow in parse_server_interfaces()\r\n\r\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.(CVE-2024-26828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi: runtime: Fix potential overflow of soft-reserved region size\r\n\r\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.(CVE-2024-26843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\r\n\r\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.(CVE-2024-26855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\r\n\r\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\r\n\r\n  [   99.403778] kernel BUG at mm/usercopy.c:102!\n  [   99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  [   99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n  [   99.415827] Call trace:\n  [   99.415985]  usercopy_abort+0x70/0xa0\n  [   99.416227]  __check_heap_object+0x134/0x158\n  [   99.416505]  check_heap_object+0x150/0x188\n  [   99.416696]  __check_object_size.part.0+0x78/0x168\n  [   99.416886]  __check_object_size+0x28/0x40\n  [   99.417078]  listxattr+0x8c/0x120\n  [   99.417252]  path_listxattr+0x78/0xe0\n  [   99.417476]  __arm64_sys_listxattr+0x28/0x40\n  [   99.417723]  invoke_syscall+0x78/0x100\n  [   99.417929]  el0_svc_common.constprop.0+0x48/0xf0\n  [   99.418186]  do_el0_svc+0x24/0x38\n  [   99.418376]  el0_svc+0x3c/0x110\n  [   99.418554]  el0t_64_sync_handler+0x120/0x130\n  [   99.418788]  el0t_64_sync+0x194/0x198\n  [   99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\r\n\r\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\r\n\r\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.(CVE-2024-26870)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\r\n\r\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\r\n\r\n    | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n    | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n    | arm-scmi firmware:scmi: unable to communicate with SCMI\n    | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n    | Mem abort info:\n    |   ESR = 0x0000000096000004\n    |   EC = 0x25: DABT (current EL), IL = 32 bits\n    |   SET = 0, FnV = 0\n    |   EA = 0, S1PTW = 0\n    |   FSC = 0x04: level 0 translation fault\n    | Data abort info:\n    |   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n    |   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    |   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n    | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n    | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n    | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n    | Modules linked in:\n    | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n    | Hardware name: FVP Base RevC (DT)\n    | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    | pc : smc_chan_free+0x3c/0x6c\n    | lr : smc_chan_free+0x3c/0x6c\n    | Call trace:\n    |  smc_chan_free+0x3c/0x6c\n    |  idr_for_each+0x68/0xf8\n    |  scmi_cleanup_channels.isra.0+0x2c/0x58\n    |  scmi_probe+0x434/0x734\n    |  platform_probe+0x68/0xd8\n    |  really_probe+0x110/0x27c\n    |  __driver_probe_device+0x78/0x12c\n    |  driver_probe_device+0x3c/0x118\n    |  __driver_attach+0x74/0x128\n    |  bus_for_each_dev+0x78/0xe0\n    |  driver_attach+0x24/0x30\n    |  bus_add_driver+0xe4/0x1e8\n    |  driver_register+0x60/0x128\n    |  __platform_driver_register+0x28/0x34\n    |  scmi_driver_init+0x84/0xc0\n    |  do_one_initcall+0x78/0x33c\n    |  kernel_init_freeable+0x2b8/0x51c\n    |  kernel_init+0x24/0x130\n    |  ret_from_fork+0x10/0x20\n    | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n    | ---[ end trace 0000000000000000 ]---\r\n\r\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\r\n\r\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.(CVE-2024-26893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)",
+    "cves": [
+      {
+        "id": "CVE-2024-26811",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811",
+        "severity": "High"
+      },
+      {
+        "id": "CVE-2024-26898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1352": {
+    "id": "openEuler-SA-2021-1352",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1352",
+    "title": "An update for libexif is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.(CVE-2020-13112)",
+    "cves": [
+      {
+        "id": "CVE-2020-13112",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13112",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1264": {
+    "id": "openEuler-SA-2023-1264",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1264",
+    "title": "An update for dmidecode is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output). This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB).DMI data can be used to enable or disable specific portions of kernel code depending on the specific hardware. Thus, one use of dmidecode is for kernel developers to detect system \"signatures\" and add them to the kernel source code when needed.\r\n\r\nSecurity Fix(es):\r\n\r\nDmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible.(CVE-2023-30630)",
+    "cves": [
+      {
+        "id": "CVE-2023-30630",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30630",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1807": {
+    "id": "openEuler-SA-2023-1807",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1807",
+    "title": "An update for qt is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.(CVE-2023-34410)",
+    "cves": [
+      {
+        "id": "CVE-2023-34410",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1444": {
+    "id": "openEuler-SA-2021-1444",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1444",
+    "title": "An update for mailman is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Mailman is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.(CVE-2021-43332)\r\n\r\nIn GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.(CVE-2021-43331)",
+    "cves": [
+      {
+        "id": "CVE-2021-43331",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43331",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1690": {
+    "id": "openEuler-SA-2023-1690",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1690",
+    "title": "An update for exempi is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Exempi is an implementation of XMP. Version 2.x is based on Adobe XMP SDK and released under a BSD-style license like Adobe's.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame.(CVE-2020-18651)\r\n\r\nBuffer Overflow vulnerability in WEBP_Support.cpp in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted webp file.(CVE-2020-18652)\r\n\r\nXMP Toolkit version 2020.1 (and earlier) is affected by a null pointer dereference vulnerability that could result in leaking data from certain memory locations and causing a local denial of service in the context of the current user. User interaction is required to exploit this vulnerability in that the victim will need to open a specially crafted MXF file.(CVE-2021-40732)",
+    "cves": [
+      {
+        "id": "CVE-2021-40732",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40732",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1897": {
+    "id": "openEuler-SA-2023-1897",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1897",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.(CVE-2023-1544)",
+    "cves": [
+      {
+        "id": "CVE-2023-1544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1415": {
+    "id": "openEuler-SA-2023-1415",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1415",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Container cluster management.\n\nSecurity Fix(es):\n\nUsers authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.(CVE-2022-3162)\n\nUsers may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.(CVE-2022-3294)\n\nA security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.(CVE-2023-2431)\n\nUsers may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n(CVE-2023-2727)\n\nUsers may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n(CVE-2023-2728)",
+    "cves": [
+      {
+        "id": "CVE-2023-2728",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2728",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1702": {
+    "id": "openEuler-SA-2024-1702",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1702",
+    "title": "An update for nautilus is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "It's easier to manage your files for the GNOME desktop. Ability to browse directories on local and remote systems. preview folders and launch related programs. It is also handle icons on the GNOME desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.(CVE-2022-37290)",
+    "cves": [
+      {
+        "id": "CVE-2022-37290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2048": {
+    "id": "openEuler-SA-2022-2048",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2048",
+    "title": "An update for nodejs-grunt is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Grunt is the JavaScript task runner. Why use a task runner? In one word: automation. The less work you have to do when performing repetitive tasks like minification, compilation, unit testing, linting, etc, the easier your job becomes. After you've configured it, a task runner can do most of that mundane work for you with basically zero effort.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.(CVE-2020-7729)",
+    "cves": [
+      {
+        "id": "CVE-2020-7729",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1688": {
+    "id": "openEuler-SA-2022-1688",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1688",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.(CVE-2022-21703)\r\n\r\nGrafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.(CVE-2022-21713)",
+    "cves": [
+      {
+        "id": "CVE-2022-21713",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21713",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1648": {
+    "id": "openEuler-SA-2022-1648",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1648",
+    "title": "An update for vte is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "VTE is a terminal emulator widget for use with GTK+ 2.0.\r\n\r\nSecurity Fix(es):\r\n\r\nThe VteTerminal in gnome-terminal (vte) before 0.32.2 allows remote authenticated users to cause a denial of service (long loop and CPU consumption) via an escape sequence with a large repeat count value.(CVE-2012-2738)",
+    "cves": [
+      {
+        "id": "CVE-2012-2738",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2738",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1540": {
+    "id": "openEuler-SA-2024-1540",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1540",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 6 through 6.6 was discovered to contain a NULL pointer dereference via the function QXcbConnection::initializeAllAtoms(). NOTE: this is disputed because it is not expected that an X application should continue to run when there is arbitrary anomalous behavior from the X server.(CVE-2023-45935)",
+    "cves": [
+      {
+        "id": "CVE-2023-45935",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45935",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1840": {
+    "id": "openEuler-SA-2022-1840",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1840",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nProduct: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel.(CVE-2022-20368)",
+    "cves": [
+      {
+        "id": "CVE-2022-20368",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20368",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1667": {
+    "id": "openEuler-SA-2024-1667",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1667",
+    "title": "An update for infinispan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Infinispan is an extremely scalable, highly available data grid platform - 100% open source, and written in Java. The purpose of Infinispan is to expose a data structure that is highly concurrent, designed ground-up to make the most of modern multi-processor/multi-core architectures while at the same time providing distributed cache capabilities.  At its core Infinispan exposes a Cache interface which extends java.util.Map. It is also optionally is backed by a peer-to-peer network architecture to distribute state efficiently around a data grid.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.(CVE-2019-10174)",
+    "cves": [
+      {
+        "id": "CVE-2019-10174",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1104": {
+    "id": "openEuler-SA-2024-1104",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1104",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1832": {
+    "id": "openEuler-SA-2024-1832",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1832",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)",
+    "cves": [
+      {
+        "id": "CVE-2021-28429",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1058": {
+    "id": "openEuler-SA-2024-1058",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1058",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.(CVE-2023-7104)",
+    "cves": [
+      {
+        "id": "CVE-2023-7104",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7104",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2009": {
+    "id": "openEuler-SA-2022-2009",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2009",
+    "title": "An update for dhcp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.(CVE-2022-2928)\r\n\r\nIn ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.(CVE-2022-2929)",
+    "cves": [
+      {
+        "id": "CVE-2022-2929",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2929",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1578": {
+    "id": "openEuler-SA-2024-1578",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1578",
+    "title": "An update for libyaml is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "${summary}.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.(CVE-2024-3205)",
+    "cves": [
+      {
+        "id": "CVE-2024-3205",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3205",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1193": {
+    "id": "openEuler-SA-2023-1193",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1193",
+    "title": "An update for curl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL` level.(CVE-2023-27535)\r\n\r\nlibcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2023-27538)\r\n\r\nlibcurl would reuse a previously created connection even when the GSS delegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.(CVE-2023-27536)\r\n\r\ncurl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and \"telnet options\" for the server\nnegotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.(CVE-2023-27533)\r\n\r\ncurl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed\nto-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite suprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse.(CVE-2023-27534)",
+    "cves": [
+      {
+        "id": "CVE-2023-27534",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27534",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1008": {
+    "id": "openEuler-SA-2023-1008",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1008",
+    "title": "An update for libtar is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Libtar is a C library for manipulating POSIX tar files. It handles adding and extracting files to/from a tar archive. Requires gcc, make, and zlib.\r\n\r\nSecurity Fix(es):\r\n\r\nAfter tar_close(), libtar.c releases the memory pointed to by pointer t. After tar_close() is called in the list() function, it continues to use pointer t: free_longlink_longname(t->th_buf) . As a result, the released memory is used (use-after-free).(CVE-2021-33640)",
+    "cves": [
+      {
+        "id": "CVE-2021-33640",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33640",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1693": {
+    "id": "openEuler-SA-2023-1693",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1693",
+    "title": "An update for ctags is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Ctags generates an index (or tag) file of language objects found in source files that allows these items to be quickly and easily located by a text editor or other utility. A tag signifies a language object for which an index entry is available (or, alternatively, the index entry created for that object).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Exuberant Ctags in the way it handles the \"-o\" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.(CVE-2022-4515)",
+    "cves": [
+      {
+        "id": "CVE-2022-4515",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1932": {
+    "id": "openEuler-SA-2023-1932",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1932",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49285)\r\n\r\nSquid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49286)",
+    "cves": [
+      {
+        "id": "CVE-2023-49286",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49286",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1498": {
+    "id": "openEuler-SA-2023-1498",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1498",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1400": {
+    "id": "openEuler-SA-2023-1400",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1400",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\n\nSecurity Fix(es):\n\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486)",
+    "cves": [
+      {
+        "id": "CVE-2023-31486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1605": {
+    "id": "openEuler-SA-2024-1605",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1605",
+    "title": "An update for python-jinja2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Jinja2 is one of the most used template engines for Python. It is inspired by Django's templating system but extends it with an expressive language that gives template authors a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important.\r\n\r\nSecurity Fix(es):\r\n\r\nJinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.(CVE-2024-34064)",
+    "cves": [
+      {
+        "id": "CVE-2024-34064",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1395": {
+    "id": "openEuler-SA-2023-1395",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1395",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.(CVE-2023-3006)\n\nAn issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.(CVE-2023-31084)\n\nA flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.(CVE-2023-3161)\n\nA NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.(CVE-2023-3212)\n\n** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.(CVE-2023-34256)\n\nAn issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.(CVE-2023-35788)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.(CVE-2023-35823)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.(CVE-2023-35824)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.(CVE-2023-35828)",
+    "cves": [
+      {
+        "id": "CVE-2023-35828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1411": {
+    "id": "openEuler-SA-2023-1411",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1411",
+    "title": "An update for guava20 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Guava is a set of core libraries that includes new collection types ,immutable collections, a graph library, and utilities for concurrency, I/O, hashing, primitives, strings, and more.\n\nSecurity Fix(es):\n\nUse of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n(CVE-2023-2976)",
+    "cves": [
+      {
+        "id": "CVE-2023-2976",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1751": {
+    "id": "openEuler-SA-2024-1751",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1751",
+    "title": "An update for python-lxml is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. \\ It is unique in that it combines the speed and XML feature completeness of these libraries with \\ the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. \\ The latest release works with all CPython versions from 2.7 to 3.7.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.(CVE-2024-37388)",
+    "cves": [
+      {
+        "id": "CVE-2024-37388",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37388",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1548": {
+    "id": "openEuler-SA-2022-1548",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1548",
+    "title": "An update for unzip is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A utility for unpacking zip files.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.(CVE-2022-0530)\r\n\r\nA flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.(CVE-2022-0529)",
+    "cves": [
+      {
+        "id": "CVE-2022-0529",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0529",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1101": {
+    "id": "openEuler-SA-2021-1101",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1101",
+    "title": "An update for dbus is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors(CVE-2020-35512)",
+    "cves": [
+      {
+        "id": "CVE-2020-35512",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35512",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1749": {
+    "id": "openEuler-SA-2023-1749",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1749",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.(CVE-2023-5441)\r\n\r\nUse After Free in GitHub repository vim/vim prior to v9.0.2010.(CVE-2023-5535)",
+    "cves": [
+      {
+        "id": "CVE-2023-5535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5535",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1298": {
+    "id": "openEuler-SA-2021-1298",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1298",
+    "title": "An update for Thunar is now available for openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Thunar is a modern file manager for the Unix/Linux desktop, aiming to be easy-to-use and fast.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.(CVE-2021-32563)",
+    "cves": [
+      {
+        "id": "CVE-2021-32563",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32563",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1167": {
+    "id": "openEuler-SA-2021-1167",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1167",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nThere's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.(CVE-2021-3474)\r\n\r\nThere's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.(CVE-2021-3477)\r\n\r\nThere is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.(CVE-2021-3475)\r\n\r\nA flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.(CVE-2021-20296)\r\n\r\nA flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.(CVE-2021-3476)\r\n\r\nThere's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.(CVE-2021-3479)",
+    "cves": [
+      {
+        "id": "CVE-2021-3479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3479",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1023": {
+    "id": "openEuler-SA-2024-1023",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1023",
+    "title": "An update for metadata-extractor2 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Metadata Extractor is a straightforward Java library for reading metadata from image files.\r\n\r\nSecurity Fix(es):\r\n\r\nmetadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24613)\r\n\r\nWhen reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24614)",
+    "cves": [
+      {
+        "id": "CVE-2022-24614",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24614",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1053": {
+    "id": "openEuler-SA-2021-1053",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1053",
+    "title": "An update for junit is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "JUnit is a simple framework to write repeatable tests. It is an instance of the xUnit architecture for unit testing frameworks.\r\n\r\nSecurity Fix(es):\r\n\r\nIn JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.(CVE-2020-15250)",
+    "cves": [
+      {
+        "id": "CVE-2020-15250",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1619": {
+    "id": "openEuler-SA-2024-1619",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1619",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Harden accesses to the reset domains\r\n\r\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\r\n\r\nAdd an internal consistency check before any such domains descriptors\naccesses.(CVE-2022-48655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\r\n\r\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\r\n\r\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\r\n\r\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\r\n\r\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).(CVE-2023-52628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\r\n\r\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\r\n\r\nE.g: Taking the following steps:\r\n\r\n     fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n     fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n     fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\r\n\r\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\r\n\r\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n         pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n         return -EINVAL;\n }\n return 0;\n ...\n ...\r\n\r\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\r\n\r\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\r\n\r\nCausing below Oops.\r\n\r\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\r\n\r\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel:  <TASK>\n kernel:  ? __die_body+0x1a/0x60\n kernel:  ? page_fault_oops+0x16f/0x4a0\n kernel:  ? search_bpf_extables+0x65/0x70\n kernel:  ? fixup_exception+0x22/0x310\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  ? asm_exc_page_fault+0x22/0x30\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel:  ? hugetlbfs_fill_super+0x28/0x1a0\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  vfs_get_super+0x40/0xa0\n kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel:  vfs_get_tree+0x25/0xd0\n kernel:  vfs_cmd_create+0x64/0xe0\n kernel:  __x64_sys_fsconfig+0x395/0x410\n kernel:  do_syscall_64+0x80/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---(CVE-2024-26688)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix double free of anonymous device after snapshot creation failure\r\n\r\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\r\n\r\nThe steps that lead to this:\r\n\r\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n   and assign it to pending_snapshot->anon_dev;\r\n\r\n2) Then we call btrfs_commit_transaction() and end up at\n   transaction.c:create_pending_snapshot();\r\n\r\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n   number stored in pending_snapshot->anon_dev;\r\n\r\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n   btrfs_lookup_fs_root() returned a root - someone else did a lookup\n   of the new root already, which could some task doing backref walking;\r\n\r\n5) After that some error happens in the transaction commit path, and at\n   ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n   that we free again the same anonymous device number, which in the\n   meanwhile may have been reallocated somewhere else, because\n   pending_snapshot->anon_dev still has the same value as in step 1.\r\n\r\nRecently syzbot ran into this and reported the following trace:\r\n\r\n  ------------[ cut here ]------------\n  ida_free called for id=51 which is not allocated.\n  WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n  Modules linked in:\n  CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n  RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n  Code: 10 42 80 3c 28 (...)\n  RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n  RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n  RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n  RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n  R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n  R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n  FS:  00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n   create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n   create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n   btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n   create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n   btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n   btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n   __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n   btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n   btrfs_ioctl+0xa74/0xd40\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:871 [inline]\n   __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n   do_syscall_64+0xfb/0x240\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n  RIP: 0033:0x7fca3e67dda9\n  Code: 28 00 00 00 (...)\n  RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n  RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n   </TASK>\r\n\r\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---(CVE-2024-26792)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi: runtime: Fix potential overflow of soft-reserved region size\r\n\r\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.(CVE-2024-26843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\r\n\r\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.(CVE-2024-26855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\r\n\r\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\r\n\r\n    | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n    | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n    | arm-scmi firmware:scmi: unable to communicate with SCMI\n    | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n    | Mem abort info:\n    |   ESR = 0x0000000096000004\n    |   EC = 0x25: DABT (current EL), IL = 32 bits\n    |   SET = 0, FnV = 0\n    |   EA = 0, S1PTW = 0\n    |   FSC = 0x04: level 0 translation fault\n    | Data abort info:\n    |   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n    |   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    |   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n    | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n    | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n    | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n    | Modules linked in:\n    | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n    | Hardware name: FVP Base RevC (DT)\n    | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    | pc : smc_chan_free+0x3c/0x6c\n    | lr : smc_chan_free+0x3c/0x6c\n    | Call trace:\n    |  smc_chan_free+0x3c/0x6c\n    |  idr_for_each+0x68/0xf8\n    |  scmi_cleanup_channels.isra.0+0x2c/0x58\n    |  scmi_probe+0x434/0x734\n    |  platform_probe+0x68/0xd8\n    |  really_probe+0x110/0x27c\n    |  __driver_probe_device+0x78/0x12c\n    |  driver_probe_device+0x3c/0x118\n    |  __driver_attach+0x74/0x128\n    |  bus_for_each_dev+0x78/0xe0\n    |  driver_attach+0x24/0x30\n    |  bus_add_driver+0xe4/0x1e8\n    |  driver_register+0x60/0x128\n    |  __platform_driver_register+0x28/0x34\n    |  scmi_driver_init+0x84/0xc0\n    |  do_one_initcall+0x78/0x33c\n    |  kernel_init_freeable+0x2b8/0x51c\n    |  kernel_init+0x24/0x130\n    |  ret_from_fork+0x10/0x20\n    | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n    | ---[ end trace 0000000000000000 ]---\r\n\r\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\r\n\r\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.(CVE-2024-26893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)",
+    "cves": [
+      {
+        "id": "CVE-2024-26898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1500": {
+    "id": "openEuler-SA-2022-1500",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1500",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\nSecurity Fix(es):\n\nvim is vulnerable to Out-of-bounds Read.(CVE-2021-4166)\r\n\r\nvim is vulnerable to Out-of-bounds Read.(CVE-2021-4193)\r\n\r\nvim is vulnerable to Use After Free.(CVE-2021-4192)",
+    "cves": [
+      {
+        "id": "CVE-2021-4192",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4192",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1044": {
+    "id": "openEuler-SA-2021-1044",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1044",
+    "title": "An update for gdm is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNOME Display Manager is a system service that is responsible for providing graphical log-ins and managing local and remote displays, and if the session doesn't provide a display server, GDM will start the display server. It also provides initiate functionality for user-switching, so multiple users can be logged in at the same time.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.(CVE-2019-3825)",
+    "cves": [
+      {
+        "id": "CVE-2019-3825",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3825",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1273": {
+    "id": "openEuler-SA-2021-1273",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1273",
+    "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nAvahi 0.8 allows a local denial of service (NULL pointer dereference and daemon crash) against avahi-daemon via the D-Bus interface or a \"ping .local\" command.(CVE-2021-36217)",
+    "cves": [
+      {
+        "id": "CVE-2021-36217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36217",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1121": {
+    "id": "openEuler-SA-2024-1121",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1121",
+    "title": "An update for jruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "JRuby is a 100% Java implementation of the Ruby programming language. It is Ruby for the JVM. JRuby provides a complete set of core \"builtin\" classes and syntax for the Ruby language, as well as most of the Ruby Standard Libraries.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.(CVE-2023-28756)",
+    "cves": [
+      {
+        "id": "CVE-2023-28756",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28756",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1433": {
+    "id": "openEuler-SA-2021-1433",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1433",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.(CVE-2021-3772)\r\n\r\nIn memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-171418586References: Upstream kernel(CVE-2021-0938)",
+    "cves": [
+      {
+        "id": "CVE-2021-0938",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0938",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1579": {
+    "id": "openEuler-SA-2024-1579",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1579",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\r\n\r\n(CVE-2024-3177)",
+    "cves": [
+      {
+        "id": "CVE-2024-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1655": {
+    "id": "openEuler-SA-2024-1655",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1655",
+    "title": "An update for python-idna is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A library to support the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891 http://tools.ietf.org/html/rfc5891. This version of the protocol is often referred to as “IDNA2008” and can produce different results from the earlier standard from 2003.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.(CVE-2024-3651)",
+    "cves": [
+      {
+        "id": "CVE-2024-3651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1868": {
+    "id": "openEuler-SA-2022-1868",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1868",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.(CVE-2021-20304)",
+    "cves": [
+      {
+        "id": "CVE-2021-20304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20304",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1406": {
+    "id": "openEuler-SA-2024-1406",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1406",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nA vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.(CVE-2022-4318)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1790": {
+    "id": "openEuler-SA-2023-1790",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1790",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\r\n\r\n(CVE-2023-31122)",
+    "cves": [
+      {
+        "id": "CVE-2023-31122",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31122",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1497": {
+    "id": "openEuler-SA-2023-1497",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1497",
+    "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.(CVE-2023-38403)",
+    "cves": [
+      {
+        "id": "CVE-2023-38403",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38403",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1219": {
+    "id": "openEuler-SA-2023-1219",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1219",
+    "title": "An update for sqlite is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nSQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.(CVE-2022-46908)",
+    "cves": [
+      {
+        "id": "CVE-2022-46908",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46908",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1789": {
+    "id": "openEuler-SA-2023-1789",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1789",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": ".\r\n\r\nSecurity Fix(es):\r\n\r\nThe html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.(CVE-2023-39318)\r\n\r\nThe html/template package does not apply the proper rules for handling occurrences of \"<script\", \"<!--\", and \"</script\" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.(CVE-2023-39319)\r\n\r\nLine directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.(CVE-2023-39323)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)",
+    "cves": [
+      {
+        "id": "CVE-2023-39325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1062": {
+    "id": "openEuler-SA-2021-1062",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1062",
+    "title": "An update for openldap is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service.(CVE-2020-36228)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.(CVE-2020-36227)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.(CVE-2020-36226)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.(CVE-2020-36230)\r\n\r\nAn integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).(CVE-2020-36221)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.(CVE-2020-36222)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.(CVE-2020-36224)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).(CVE-2020-36223)\r\n\r\nA flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.(CVE-2020-36225)\r\n\r\nA flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.(CVE-2020-36229)",
+    "cves": [
+      {
+        "id": "CVE-2020-36229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36229",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1309": {
+    "id": "openEuler-SA-2021-1309",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1309",
+    "title": "An update for gradle is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Gradle is build automation evolved. Gradle can automate the building, testing, publishing, deployment and more of software packages or other types of projects such as generated static websites, generated documentation or indeed anything else. Gradle combines the power and flexibility of Ant with the dependency management and conventions of Maven into a more effective way to build. Powered by a Groovy DSL and packed with innovation, Gradle provides a declarative way to describe all kinds of builds through sensible defaults. Gradle is quickly becoming the build system of choice for many open source projects, leading edge enterprises and legacy automation challenges.\r\n\r\nSecurity Fix(es):\r\n\r\nThe PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.(CVE-2019-16370)",
+    "cves": [
+      {
+        "id": "CVE-2019-16370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16370",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1217": {
+    "id": "openEuler-SA-2024-1217",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1217",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.\n(CVE-2023-5841)",
+    "cves": [
+      {
+        "id": "CVE-2023-5841",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1990": {
+    "id": "openEuler-SA-2022-1990",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1990",
+    "title": "An update for python-joblib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Joblib is a set of tools to provide lightweight pipelining in Python.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.(CVE-2022-21797)",
+    "cves": [
+      {
+        "id": "CVE-2022-21797",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21797",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1742": {
+    "id": "openEuler-SA-2024-1742",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1742",
+    "title": "An update for python-pyinstaller is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "PyInstaller bundles a Python application and all its dependencies into a single package. The user can run the packaged app without installing a Python interpreter or any modules.\r\n\r\nSecurity Fix(es):\r\n\r\nPyInstaller bundles a Python application and all its dependencies into a single package. A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if **all** the following are satisfied: 1. The user runs an application containing either `matplotlib` or `win32com`. 2. The application is ran as administrator (or at least a user with higher privileges than the attacker). 3. The user's temporary directory is not locked to that specific user (most likely due to `TMP`/`TEMP` environment variables pointing to an unprotected, arbitrary, non default location). Either: A. The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between `shutil.rmtree()`'s builtin symlink check and the deletion itself B: The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links. The vulnerability has been addressed in PR #7827 which corresponds to `pyinstaller >= 5.13.1`. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49797)",
+    "cves": [
+      {
+        "id": "CVE-2023-49797",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49797",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1226": {
+    "id": "openEuler-SA-2021-1226",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1226",
+    "title": "An update for dhcp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.\n\nSecurity Fix(es):\n\nIn ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted.(CVE-2021-25217)",
+    "cves": [
+      {
+        "id": "CVE-2021-25217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25217",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1565": {
+    "id": "openEuler-SA-2023-1565",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1565",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development.Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.(CVE-2022-48522)",
+    "cves": [
+      {
+        "id": "CVE-2022-48522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1323": {
+    "id": "openEuler-SA-2024-1323",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1323",
+    "title": "An update for bind is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers.\nThis issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-4408)\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nA flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when:\r\n\r\n  - `nxdomain-redirect <domain>;` is configured, and\n  - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response.\nThis issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5517)\r\n\r\nA bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5679)\r\n\r\nTo keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.(CVE-2023-6516)",
+    "cves": [
+      {
+        "id": "CVE-2023-6516",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6516",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1270": {
+    "id": "openEuler-SA-2021-1270",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1270",
+    "title": "An update for dovecot is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Dovecot is an IMAP server for Linux/UNIX-like systemsa wrapper package that will just handle common things for all versioned dovecot packages.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.(CVE-2020-28200)\r\n\r\nThe submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.(CVE-2021-33515)",
+    "cves": [
+      {
+        "id": "CVE-2021-33515",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33515",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1505": {
+    "id": "openEuler-SA-2024-1505",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1505",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330)\r\n\r\nA double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446)\r\n\r\nA heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of  `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2024-3447)",
+    "cves": [
+      {
+        "id": "CVE-2024-3447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1713": {
+    "id": "openEuler-SA-2023-1713",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1713",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863)",
+    "cves": [
+      {
+        "id": "CVE-2023-4863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1542": {
+    "id": "openEuler-SA-2022-1542",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1542",
+    "title": "An update for rubygem-rubyzip is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A ruby module for reading and writing zip files.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).(CVE-2019-16892)",
+    "cves": [
+      {
+        "id": "CVE-2019-16892",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16892",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1512": {
+    "id": "openEuler-SA-2022-1512",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1512",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Java XML serialization library.\r\n\r\nSecurity Fix(es):\r\n\r\nXStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.(CVE-2021-43859)",
+    "cves": [
+      {
+        "id": "CVE-2021-43859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43859",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1196": {
+    "id": "openEuler-SA-2021-1196",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1196",
+    "title": "An update for nodejs-handlebars is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Handlebars.js is an extension to the Mustache templating language created by Chris Wanstrath. Handlebars.js and Mustache are both logicless templating languages that keep the view and the code separated like we all know they should be.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.(CVE-2021-23383)",
+    "cves": [
+      {
+        "id": "CVE-2021-23383",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1365": {
+    "id": "openEuler-SA-2021-1365",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1365",
+    "title": "An update for ntfs-3g is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "NTFS-3G is a stable, open source, GPL licensed, POSIX, read/write NTFS driver for Linux and many other operating systems. It provides safe handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 NTFS file systems.\r\n\r\nSecurity Fix(es):\r\n\r\nIn NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute is supplied to the function ntfs_get_attribute_value, a heap buffer overflow can occur allowing for memory disclosure or denial of service. The vulnerability is caused by an out-of-bound buffer access which can be triggered by mounting a crafted ntfs partition. The root cause is a missing consistency check after reading an MFT record : the \"bytes_in_use\" field should be less than the \"bytes_allocated\" field. When it is not, the parsing of the records proceeds into the wild.(CVE-2021-33285)\r\n\r\nA crafted NTFS image can cause an out-of-bounds read in ntfs_ie_lookup in NTFS-3G < 2021.8.22.(CVE-2021-39252)\r\n\r\nA crafted NTFS image can trigger an out-of-bounds read, caused by an invalid attribute in ntfs_attr_find_in_attrdef, in NTFS-3G < 2021.8.22.(CVE-2021-39255)\r\n\r\nIn NTFS-3G versions < 2021.8.22, when a specially crafted MFT section is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution.(CVE-2021-33289)\r\n\r\nIn NTFS-3G versions < 2021.8.22, when a specially crafted unicode string is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution.(CVE-2021-33286)\r\n\r\nNTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute from the MFT is setup in the function ntfs_attr_setup_flag, a heap buffer overflow can occur allowing for code execution and escalation of privileges.(CVE-2021-35269)\r\n\r\nA crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G < 2021.8.22.(CVE-2021-39261)\r\n\r\nA crafted NTFS image can trigger a heap-based buffer overflow, caused by an unsanitized attribute in ntfs_get_attribute_value, in NTFS-3G < 2021.8.22.(CVE-2021-39263)\r\n\r\nA crafted NTFS image can cause an out-of-bounds access in ntfs_decompress in NTFS-3G < 2021.8.22.(CVE-2021-39262)\r\n\r\nA crafted NTFS image can cause an out-of-bounds access in ntfs_inode_sync_standard_information in NTFS-3G < 2021.8.22.(CVE-2021-39260)\r\n\r\nA crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22.(CVE-2021-39259)\r\n\r\nIn NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode is loaded in the function ntfs_inode_real_open, a heap buffer overflow can occur allowing for code execution and escalation of privileges.(CVE-2021-35268)\r\n\r\nA crafted NTFS image can cause a heap-based buffer overflow in ntfs_inode_lookup_by_name in NTFS-3G < 2021.8.22.(CVE-2021-39256)\r\n\r\nA crafted NTFS image can cause an out-of-bounds read in ntfs_runlists_merge_i in NTFS-3G < 2021.8.22.(CVE-2021-39253)\r\n\r\nIn NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode pathname is supplied in an NTFS image a heap buffer overflow can occur resulting in memory disclosure, denial of service and even code execution.(CVE-2021-35266)\r\n\r\nA crafted NTFS image can cause out-of-bounds reads in ntfs_attr_find and ntfs_external_attr_find in NTFS-3G < 2021.8.22.(CVE-2021-39258)\r\n\r\nIn NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application.(CVE-2021-33287)\r\n\r\nA crafted NTFS image can cause an integer overflow in memmove, leading to a heap-based buffer overflow in the function ntfs_attr_record_resize, in NTFS-3G < 2021.8.22.(CVE-2021-39254)\r\n\r\nNTFS-3G versions < 2021.8.22, a stack buffer overflow can occur when correcting differences in the MFT and MFTMirror allowing for code execution or escalation of privileges when setuid-root.(CVE-2021-35267)\r\n\r\nA crafted NTFS image with an unallocated bitmap can lead to a endless recursive function call chain (starting from ntfs_attr_pwrite), causing stack consumption in NTFS-3G < 2021.8.22.(CVE-2021-39257)\r\n\r\nA crafted NTFS image can cause a NULL pointer dereference in ntfs_extent_inode_open in NTFS-3G < 2021.8.22.(CVE-2021-39251)",
+    "cves": [
+      {
+        "id": "CVE-2021-39251",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39251",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1560": {
+    "id": "openEuler-SA-2024-1560",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1560",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\r\n\r\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\r\n\r\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\r\n\r\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\r\n\r\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.(CVE-2023-6129)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: RAPID).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20960)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20961)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20964)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20965)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20967)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20969)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20970)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20971)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20973)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20974)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20978)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20981)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20984)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20985)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20993)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20994)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20998)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).(CVE-2024-21000)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21009)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21013)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21047)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21055)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21060)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21061)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21062)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21069)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2024-21096)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21102)",
+    "cves": [
+      {
+        "id": "CVE-2024-21102",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21102",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1784": {
+    "id": "openEuler-SA-2023-1784",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1784",
+    "title": "An update for traceroute is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Traceroute tracks the route packets taken from an IP network on their way to a given host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host.\r\n\r\nSecurity Fix(es):\r\n\r\nIn buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines.(CVE-2023-46316)",
+    "cves": [
+      {
+        "id": "CVE-2023-46316",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46316",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1111": {
+    "id": "openEuler-SA-2023-1111",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1111",
+    "title": "An update for harfbuzz is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "HarfBuzz is a text-shaping engine. If you give HarfBuzz a font and a string containing a sequence of Unicode codepoints, HarfBuzz selects and positions the corresponding glyphs from the font, applying all of the necessary layout rules and font features. HarfBuzz then returns the string to you in the form that is correctly arranged for the language and writing system.\r\n\r\nSecurity Fix(es):\r\n\r\nhb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.(CVE-2023-25193)",
+    "cves": [
+      {
+        "id": "CVE-2023-25193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1923": {
+    "id": "openEuler-SA-2023-1923",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1923",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \\ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nPillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).(CVE-2022-45198)",
+    "cves": [
+      {
+        "id": "CVE-2022-45198",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45198",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1571": {
+    "id": "openEuler-SA-2023-1571",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1571",
+    "title": "An update for json-c is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted strings back into the C representation of JSON objects.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution.(CVE-2021-32292)",
+    "cves": [
+      {
+        "id": "CVE-2021-32292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32292",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1562": {
+    "id": "openEuler-SA-2023-1562",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1562",
+    "title": "An update for flac is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "document files for flac\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.(CVE-2020-22219)",
+    "cves": [
+      {
+        "id": "CVE-2020-22219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22219",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1001": {
+    "id": "openEuler-SA-2024-1001",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1001",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534)\r\n\r\nMultipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.(CVE-2023-24536)\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)\r\n\r\nTemplates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.(CVE-2023-24538)",
+    "cves": [
+      {
+        "id": "CVE-2023-24538",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1012": {
+    "id": "openEuler-SA-2023-1012",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1012",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT.(CVE-2022-47938)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.(CVE-2022-47941)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.(CVE-2022-47939)",
+    "cves": [
+      {
+        "id": "CVE-2022-47939",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47939",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1333": {
+    "id": "openEuler-SA-2024-1333",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1333",
+    "title": "An update for apache-mime4j is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
+    "cves": [
+      {
+        "id": "CVE-2024-21742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1147": {
+    "id": "openEuler-SA-2024-1147",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1147",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+    "cves": [
+      {
+        "id": "CVE-2024-0727",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1215": {
+    "id": "openEuler-SA-2021-1215",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1215",
+    "title": "An update for runc is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.(CVE-2021-30465)",
+    "cves": [
+      {
+        "id": "CVE-2021-30465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2046": {
+    "id": "openEuler-SA-2022-2046",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2046",
+    "title": "An update for nodejs-jison is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "A parser generator with Bison's API.\r\n\r\nSecurity Fix(es):\r\n\r\nInsufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.(CVE-2020-8178)",
+    "cves": [
+      {
+        "id": "CVE-2020-8178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8178",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1788": {
+    "id": "openEuler-SA-2024-1788",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1788",
+    "title": "An update for glib2 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.(CVE-2024-34397)",
+    "cves": [
+      {
+        "id": "CVE-2024-34397",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1927": {
+    "id": "openEuler-SA-2022-1927",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1927",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.(CVE-2022-39842)\n\nAn issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.(CVE-2022-39190)\n\nAn issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.(CVE-2022-39189)\n\nFound Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn t check the value of pixclock , so it may cause a divide by zero error.(CVE-2022-3061)\n\nAn issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.(CVE-2022-2663)",
+    "cves": [
+      {
+        "id": "CVE-2022-2663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2663",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1821": {
+    "id": "openEuler-SA-2022-1821",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1821",
+    "title": "An update for dnsmasq is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option local-service is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.(CVE-2020-14312)",
+    "cves": [
+      {
+        "id": "CVE-2020-14312",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14312",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1499": {
+    "id": "openEuler-SA-2022-1499",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1499",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nnet/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.(CVE-2021-44716)",
+    "cves": [
+      {
+        "id": "CVE-2021-44716",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44716",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1809": {
+    "id": "openEuler-SA-2022-1809",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1809",
+    "title": "An update for python-ldap is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "python-ldap provides an object-oriented API for working with LDAP within Python programs.  It allows access to LDAP directory servers by wrapping the OpenLDAP 2.x libraries, and contains modules for other LDAP-related tasks (including processing LDIF, LDAPURLs, LDAPv3 schema, etc.).\r\n\r\nSecurity Fix(es):\r\n\r\npython-ldap before 3.4.0 is vulnerable to a denial of service when ldap.schema is used for untrusted schema definitions, because of a regular expression denial of service (ReDoS) flaw in the LDAP schema parser. By sending crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.(CVE-2021-46823)",
+    "cves": [
+      {
+        "id": "CVE-2021-46823",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46823",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1849": {
+    "id": "openEuler-SA-2024-1849",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1849",
+    "title": "An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files  https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\r\n\r\n\r\n\r\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\r\n\r\nBuffer overflow in \"rcar_dev_init\"  due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
+    "cves": [
+      {
+        "id": "CVE-2024-6564",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1052": {
+    "id": "openEuler-SA-2023-1052",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1052",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nInconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.(CVE-2022-36760)\r\n\r\nPrior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.(CVE-2022-37436)\r\n\r\nA carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.(CVE-2006-20001)",
+    "cves": [
+      {
+        "id": "CVE-2006-20001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-20001",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1948": {
+    "id": "openEuler-SA-2022-1948",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1948",
+    "title": "An update for redis6 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32687)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32628)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-41099)\r\n\r\nRedis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.(CVE-2021-32675)\r\n\r\nRedis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32762)\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32627)",
+    "cves": [
+      {
+        "id": "CVE-2021-32627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32627",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1464": {
+    "id": "openEuler-SA-2024-1464",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1464",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\r\n\r\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\r\n\r\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\r\n\r\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\r\n\r\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\r\n\r\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\r\n\r\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\r\n\r\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\r\n\r\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\r\n\r\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)",
+    "cves": [
+      {
+        "id": "CVE-2024-29018",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1692": {
+    "id": "openEuler-SA-2023-1692",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1692",
+    "title": "An update for lcr is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIsula uses the lxc runtime (default) to run malicious images, which can cause DOS.(CVE-2021-33634)",
+    "cves": [
+      {
+        "id": "CVE-2021-33634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2144": {
+    "id": "openEuler-SA-2022-2144",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2144",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nGuests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.(CVE-2022-3643)",
+    "cves": [
+      {
+        "id": "CVE-2022-3643",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3643",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1097": {
+    "id": "openEuler-SA-2024-1097",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1097",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.(CVE-2023-6040)\r\n\r\nAn out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.(CVE-2024-0565)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.(CVE-2024-0607)",
+    "cves": [
+      {
+        "id": "CVE-2024-0607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1631": {
+    "id": "openEuler-SA-2024-1631",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1631",
+    "title": "An update for nautilus is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "It's easier to manage your files for the GNOME desktop. Ability to browse directories on local and remote systems. preview folders and launch related programs. It is also handle icons on the GNOME desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.(CVE-2022-37290)",
+    "cves": [
+      {
+        "id": "CVE-2022-37290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1204": {
+    "id": "openEuler-SA-2023-1204",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1204",
+    "title": "An update for runc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.(CVE-2023-25809)\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.(CVE-2023-28642)",
+    "cves": [
+      {
+        "id": "CVE-2023-28642",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1393": {
+    "id": "openEuler-SA-2023-1393",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1393",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. Quoting ZDI security advisory [1]:\n\n\"This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the processing of seg6 attributes. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.\"\n\n[1] https://www.zerodayinitiative.com/advisories/ZDI-CAN-18511/(CVE-2023-2860)\n\nA known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.(CVE-2023-3006)\n\nA use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.(CVE-2023-3159)\n\nA flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.(CVE-2023-3161)\n\n** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.(CVE-2023-34256)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.(CVE-2023-35823)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.(CVE-2023-35828)",
+    "cves": [
+      {
+        "id": "CVE-2023-35828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1827": {
+    "id": "openEuler-SA-2023-1827",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1827",
+    "title": "An update for gdb is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.(CVE-2023-39129)",
+    "cves": [
+      {
+        "id": "CVE-2023-39129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1773": {
+    "id": "openEuler-SA-2023-1773",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1773",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n(CVE-2023-3592)\r\n\r\nIn Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\r\n\r\n\n(CVE-2023-5632)",
+    "cves": [
+      {
+        "id": "CVE-2023-5632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1051": {
+    "id": "openEuler-SA-2024-1051",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1051",
+    "title": "An update for netdata is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "netdata is the fastest way to visualize metrics. It is a resource efficient, highly optimized system for collecting and visualizing any type of realtime time-series data, from CPU usage, disk activity, SQL queries, API calls, web site visitors, etc. netdata tries to visualize the truth of now, in its greatest detail, so that you can get insights of what is happening now and what just happened, on your systems and applications.\r\n\r\nSecurity Fix(es):\r\n\r\nNetdata is an open source option for real-time infrastructure monitoring and troubleshooting. An attacker with the ability to establish a streaming connection can execute arbitrary commands on the targeted Netdata agent. When an alert is triggered, the function `health_alarm_execute` is called. This function performs different checks and then enqueues a command by calling `spawn_enq_cmd`. This command is populated with several arguments that are not sanitized. One of them is the `registry_hostname` of the node for which the alert is raised. By providing a specially crafted `registry_hostname` as part of the health data that is streamed to a Netdata (parent) agent, an attacker can execute arbitrary commands at the remote host as a side-effect of the raised alert. Note that the commands are executed as the user running the Netdata Agent. This user is usually named `netdata`. The ability to run arbitrary commands may allow an attacker to escalate privileges by escalating other vulnerabilities in the system, as that user. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, streaming is not enabled by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.(CVE-2023-22496)\r\n\r\nNetdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via `stream.conf`. On the parent side, users configure in `stream.conf` an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users who expose their Netdata Agents (children) to non-trusted users and they also expose to the same users Netdata Agent parents that aggregate data from all these children. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.(CVE-2023-22497)",
+    "cves": [
+      {
+        "id": "CVE-2023-22497",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22497",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1886": {
+    "id": "openEuler-SA-2022-1886",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1886",
+    "title": "An update for pcs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "pcs is a corosync and pacemaker configuration tool.  It permits users to easily view, modify and create pacemaker based clusters.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.(CVE-2022-1049)",
+    "cves": [
+      {
+        "id": "CVE-2022-1049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1663": {
+    "id": "openEuler-SA-2022-1663",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1663",
+    "title": "An update for google-gson is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Gson is a Java library that can be used to convert a Java object into its JSON representation. It can also be used to convert a JSON string into an equivalent Java object. Gson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of. There are a few open-source projects that can convert Java objects to JSON. However, most of them require that you place Java annotations in your classes; something that you can not do if you do not have access to the source-code. Most also do not fully support the use of Java Generics. Gson considers both of these as very important design goals.\n\nSecurity Fix(es):\n\nThe package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.(CVE-2022-25647)",
+    "cves": [
+      {
+        "id": "CVE-2022-25647",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1511": {
+    "id": "openEuler-SA-2024-1511",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1511",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330)\r\n\r\nA double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446)\r\n\r\nA heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of  `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2024-3447)",
+    "cves": [
+      {
+        "id": "CVE-2024-3447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1941": {
+    "id": "openEuler-SA-2023-1941",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1941",
+    "title": "An update for erlang is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.(CVE-2022-37026)",
+    "cves": [
+      {
+        "id": "CVE-2022-37026",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37026",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1374": {
+    "id": "openEuler-SA-2021-1374",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1374",
+    "title": "An update for varnish is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Varnish. The Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. As a result, this flaw allows the information on the Varnish cache to be poisoned. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-36740)",
+    "cves": [
+      {
+        "id": "CVE-2021-36740",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36740",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1789": {
+    "id": "openEuler-SA-2024-1789",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1789",
+    "title": "An update for glib2 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.(CVE-2024-34397)",
+    "cves": [
+      {
+        "id": "CVE-2024-34397",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1165": {
+    "id": "openEuler-SA-2023-1165",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1165",
+    "title": "An update for snakeyaml is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752)\r\n\r\nThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)",
+    "cves": [
+      {
+        "id": "CVE-2022-41854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1883": {
+    "id": "openEuler-SA-2022-1883",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1883",
+    "title": "An update for redis6 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.(CVE-2021-29477)",
+    "cves": [
+      {
+        "id": "CVE-2021-29477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29477",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2141": {
+    "id": "openEuler-SA-2022-2141",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2141",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.(CVE-2022-4129)",
+    "cves": [
+      {
+        "id": "CVE-2022-4129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1287": {
+    "id": "openEuler-SA-2024-1287",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1287",
+    "title": "An update for iSulad is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C.\r\n\r\nSecurity Fix(es):\r\n\r\n在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。(CVE-2021-33632)",
+    "cves": [
+      {
+        "id": "CVE-2021-33632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1454": {
+    "id": "openEuler-SA-2024-1454",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1454",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0002.html(CVE-2023-37328)",
+    "cves": [
+      {
+        "id": "CVE-2023-37328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1327": {
+    "id": "openEuler-SA-2024-1327",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1327",
+    "title": "An update for unixODBC is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The unixODBC Project goals are to develop and promote unixODBC to be the definitive standard for ODBC on non MS Windows platforms. This is to include GUI support for both KDE and GNOME.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.(CVE-2024-1013)",
+    "cves": [
+      {
+        "id": "CVE-2024-1013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1284": {
+    "id": "openEuler-SA-2023-1284",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1284",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.(CVE-2023-2002)\r\n\r\nA speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11(CVE-2023-0458)\r\n\r\nIn emac_probe, &adpt->work_thread is bound with emac_work_thread. Then it will be started by timeout handler emac_tx_timeout or a IRQ handler emac_isr. If we remove the driver which will call emac_remove to make cleanup, there may be a unfinished work. This could lead to a use-after-free.\r\n\r\nUpstream fix:\nhttps://github.com/torvalds/linux/commit/6b6bc5b8bd2d(CVE-2023-2483)\r\n\r\nAn issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.(CVE-2023-32269)\r\n\r\nIn the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.(CVE-2023-26544)\n\nNo description is available for this CVE(CVE-2023-0459)\n\nA null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.(CVE-2023-2177)\n\nA use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.(CVE-2023-2513)",
+    "cves": [
+      {
+        "id": "CVE-2023-2513",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2513",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1826": {
+    "id": "openEuler-SA-2024-1826",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1826",
+    "title": "An update for vte291 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
+    "cves": [
+      {
+        "id": "CVE-2024-37535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1072": {
+    "id": "openEuler-SA-2023-1072",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1072",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.(CVE-2023-0179)\r\n\r\natm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23455)\r\n\r\ncbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23454)",
+    "cves": [
+      {
+        "id": "CVE-2023-23454",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23454",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1349": {
+    "id": "openEuler-SA-2021-1349",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1349",
+    "title": "An update for ansible is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.(CVE-2020-1739)\r\n\r\nA flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.(CVE-2020-1740)\r\n\r\nA flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.(CVE-2020-1738)\r\n\r\nA flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.(CVE-2020-1735)\r\n\r\nA flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.(CVE-2020-1736)\r\n\r\nA flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.(CVE-2020-10684)\r\n\r\nA flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.(CVE-2019-14904)\r\n\r\nA flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.(CVE-2020-1737)\r\n\r\nA flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.(CVE-2021-20191)\r\n\r\nA flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.(CVE-2020-10729)\r\n\r\nA security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.(CVE-2020-1753)",
+    "cves": [
+      {
+        "id": "CVE-2020-1753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2064": {
+    "id": "openEuler-SA-2022-2064",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2064",
+    "title": "An update for tomcat is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nThe fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.(CVE-2022-23181)",
+    "cves": [
+      {
+        "id": "CVE-2022-23181",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23181",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1332": {
+    "id": "openEuler-SA-2021-1332",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1332",
+    "title": "An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is the reference implementation of JSR-349 - Bean Validation 1.1. Bean Validation defines a meta-data model and API for JavaBean as well as method validation. The default meta-data source are annotations, with the ability to override and extend the meta-data through the use of XML validation descriptors.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.(CVE-2019-10219)",
+    "cves": [
+      {
+        "id": "CVE-2019-10219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10219",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1156": {
+    "id": "openEuler-SA-2023-1156",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1156",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.(CVE-2023-26607)",
+    "cves": [
+      {
+        "id": "CVE-2023-26607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1030": {
+    "id": "openEuler-SA-2023-1030",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1030",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment.Jetty is available on all Java supported platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.(CVE-2022-2048)\r\n\r\nIn Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.(CVE-2022-2047)",
+    "cves": [
+      {
+        "id": "CVE-2022-2047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1576": {
+    "id": "openEuler-SA-2022-1576",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1576",
+    "title": "An update for swtpm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "TPM emulator built on libtpms providing TPM functionality for QEMU VMs\r\n\r\nSecurity Fix(es):\r\n\r\nswtpm is a libtpms-based TPM emulator with socket, character device, and Linux CUSE interface. Versions prior to 0.5.3, 0.6.2, and 0.7.1 are vulnerable to out-of-bounds read. A specially crafted header of swtpm's state, where the blobheader's hdrsize indicator has an invalid value, may cause an out-of-bounds access when the byte array representing the state of the TPM is accessed. This will likely crash swtpm or prevent it from starting since the state cannot be understood. Users should upgrade to swtpm v0.5.3, v0.6.2, or v0.7.1 to receive a patch. There are currently no known workarounds.(CVE-2022-23645)",
+    "cves": [
+      {
+        "id": "CVE-2022-23645",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23645",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1118": {
+    "id": "openEuler-SA-2023-1118",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1118",
+    "title": "An update for apr is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.(CVE-2022-24963)",
+    "cves": [
+      {
+        "id": "CVE-2022-24963",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1283": {
+    "id": "openEuler-SA-2021-1283",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1283",
+    "title": "An update for krb5 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn MIT krb5 releases 1.16 and later, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.(CVE-2021-36222)",
+    "cves": [
+      {
+        "id": "CVE-2021-36222",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36222",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2158": {
+    "id": "openEuler-SA-2022-2158",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2158",
+    "title": "An update for libksba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Libksba is a library to make the tasks of working with X.509 certificates,CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.\r\n\r\nSecurity Fix(es):\r\n\r\nLibksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.(CVE-2022-47629)",
+    "cves": [
+      {
+        "id": "CVE-2022-47629",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47629",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1627": {
+    "id": "openEuler-SA-2022-1627",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1627",
+    "title": "An update for epiphany is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Epiphany is the web browser for the GNOME desktop. Its goal is to be simple and easy to use. Epiphany ties together many GNOME components in order to let you focus on the Web content, instead of the browser application.\r\n\r\nSecurity Fix(es):\r\n\r\nXSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list.(CVE-2021-45085)\n\nXSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server s suggested_filename is used as the pdf_name value in PDF.js.(CVE-2021-45086)\n\nXSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title.(CVE-2021-45087)\n\nXSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page.(CVE-2021-45088)\n\nIn GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.(CVE-2022-29536)",
+    "cves": [
+      {
+        "id": "CVE-2022-29536",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29536",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1675": {
+    "id": "openEuler-SA-2022-1675",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1675",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\n\nSecurity Fix(es):\n\nlibcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2022-27782)\n\nA vulnerability was found in curl. This issue occurs due to an erroneous function. A malicious server could make curl within Network Security Services (NSS) get stuck in a never-ending busy loop when trying to retrieve that information. This flaw allows an Infinite Loop, affecting system availability.(CVE-2022-27781)",
+    "cves": [
+      {
+        "id": "CVE-2022-27781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1975": {
+    "id": "openEuler-SA-2023-1975",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1975",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+    "cves": [
+      {
+        "id": "CVE-2023-51385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1696": {
+    "id": "openEuler-SA-2022-1696",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1696",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21296)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21340)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21282)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21283)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21341)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21365)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21291)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21248)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21299)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21305)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21294)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21293)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21277)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21366)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21360)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35565)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2021-35550)",
+    "cves": [
+      {
+        "id": "CVE-2021-35550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35550",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1402": {
+    "id": "openEuler-SA-2023-1402",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1402",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\n\nSecurity Fix(es):\n\nlibtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.(CVE-2023-25433)\n\nlibtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.(CVE-2023-26966)\n\nA null pointer dereference issue was discovered in Libtiff's tif_dir.c file. This flaw allows an attacker to pass a crafted TIFF image file to the tiffcp utility, which triggers runtime error, causing an undefined behavior, resulting in an application crash, eventually leading to a denial of service.(CVE-2023-2908)",
+    "cves": [
+      {
+        "id": "CVE-2023-2908",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2908",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1158": {
+    "id": "openEuler-SA-2023-1158",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1158",
+    "title": "An update for libksba is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Libksba is a library to make the tasks of working with X.509 certificates,CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.\r\n\r\nSecurity Fix(es):\r\n\r\nLibksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.(CVE-2022-47629)",
+    "cves": [
+      {
+        "id": "CVE-2022-47629",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47629",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1774": {
+    "id": "openEuler-SA-2024-1774",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1774",
+    "title": "An update for rubygem-actionview is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Simple, battle-tested conventions and helpers for building web pages.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Rails. rails-ujs may allow an attacker to perform Cross-Site Scripting (XSS), which could lead to stolen information, phishing attacks, and other types of attacks.(CVE-2023-23913)",
+    "cves": [
+      {
+        "id": "CVE-2023-23913",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23913",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1719": {
+    "id": "openEuler-SA-2022-1719",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1719",
+    "title": "An update for e2fsprogs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The e2fsprogs package consists of a lot of tools for users to create, check, modify, and correct any inconsistencies in second extended file system.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.(CVE-2022-1304)",
+    "cves": [
+      {
+        "id": "CVE-2022-1304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1958": {
+    "id": "openEuler-SA-2023-1958",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1958",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n(CVE-2023-46219)",
+    "cves": [
+      {
+        "id": "CVE-2023-46219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46219",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1335": {
+    "id": "openEuler-SA-2023-1335",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1335",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.(CVE-2023-32324)",
+    "cves": [
+      {
+        "id": "CVE-2023-32324",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32324",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1900": {
+    "id": "openEuler-SA-2023-1900",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1900",
+    "title": "An update for python-aiohttp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Async http client/server framework (asyncio).\r\n\r\nSecurity Fix(es):\r\n\r\naiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.(CVE-2023-49081)",
+    "cves": [
+      {
+        "id": "CVE-2023-49081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49081",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1987": {
+    "id": "openEuler-SA-2023-1987",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1987",
+    "title": "An update for hdf5 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433)\r\n\r\nReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809)",
+    "cves": [
+      {
+        "id": "CVE-2020-10809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1004": {
+    "id": "openEuler-SA-2023-1004",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1004",
+    "title": "An update for setuptools is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Setuptools is a collection of enhancements to the Python distutils that allow you to more easily build and distribute Python packages, especially ones that have dependencies on other packages.This package contains a python wheel of setuptools to use with venv.\r\n\r\nSecurity Fix(es):\r\n\r\nPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.(CVE-2022-40897)",
+    "cves": [
+      {
+        "id": "CVE-2022-40897",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1787": {
+    "id": "openEuler-SA-2023-1787",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1787",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.(CVE-2023-3255)",
+    "cves": [
+      {
+        "id": "CVE-2023-3255",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3255",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1580": {
+    "id": "openEuler-SA-2022-1580",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1580",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nUse of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.(CVE-2022-0685)",
+    "cves": [
+      {
+        "id": "CVE-2022-0685",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0685",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1657": {
+    "id": "openEuler-SA-2023-1657",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1657",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.(CVE-2023-3354)",
+    "cves": [
+      {
+        "id": "CVE-2023-3354",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3354",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1488": {
+    "id": "openEuler-SA-2022-1488",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1488",
+    "title": "An update for gimp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "GIMP is a cross-platform image editor available for GNU/Linux, OS X, Windows and more operating systems. It is free software, you can change its source code and distribute your changes. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.\r\n\r\nSecurity Fix(es):\r\n\r\nGEGL before 0.4.34, as used (for example) in GIMP before 2.10.30, allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.(CVE-2021-45463)",
+    "cves": [
+      {
+        "id": "CVE-2021-45463",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45463",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1001": {
+    "id": "openEuler-SA-2021-1001",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1001",
+    "title": "An update for dnsmasq is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. \\r\\n\\r\\n Security Fix(es):\\r\\n\\r\\n A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25681)\\r\\n\\r\\n\nA flaw was found in dnsmasq. A buffer overflow vulnerability was discovered in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data. An attacker on the network, who can create valid DNS replies, could use this flaw to cause an overflow with arbitrary data in a heap-allocated memory, possibly executing code on the machine. The flaw is in the rfc1035.c:extract_name() function, which writes data to the memory pointed by name assuming MAXDNAME*2 bytes are available in the buffer. However, in some code execution paths, it is possible extract_name() gets passed an offset from the base buffer, thus reducing, in practice, the number of available bytes that can be written in the buffer. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25682)\\r\\n\\r\\n\nA flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25683)\\r\\n\\r\\n\nA flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25684)\\r\\n\\r\\n\nA flaw was found in dnsmasq. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25685) \\r\\n\\r\\n\nA flaw was found in dnsmasq. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the \"Birthday Attacks\" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.(CVE-2020-25686) A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-25687)\\r\\n\\r\\n\n",
+    "cves": [
+      {
+        "id": "CVE-2020-25687",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25687",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1145": {
+    "id": "openEuler-SA-2024-1145",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1145",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.(CVE-2023-6915)",
+    "cves": [
+      {
+        "id": "CVE-2023-6915",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1744": {
+    "id": "openEuler-SA-2024-1744",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1744",
+    "title": "An update for mysql is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\r\n\r\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\r\n\r\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\r\n\r\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\r\n\r\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.(CVE-2023-6129)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: RAPID).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20960)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20961)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20964)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20965)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20967)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2024-20969)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20970)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20971)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20973)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20974)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20978)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20981)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server : Security : Firewall).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20984)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20985)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20993)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20994)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-20998)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).(CVE-2024-21000)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21009)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21013)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21047)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21055)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21060)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plug-in).  Supported versions that are affected are 8.0.35 and prior and  8.2.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21061)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21062)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21069)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21087)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data as well as  unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2024-21096)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21102)",
+    "cves": [
+      {
+        "id": "CVE-2024-21102",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21102",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1666": {
+    "id": "openEuler-SA-2023-1666",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1666",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.(CVE-2022-45887)\r\n\r\n\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n(CVE-2023-20588)\r\n\r\nIn multiple functions  of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21400)\r\n\r\n** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team.(CVE-2023-4881)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\r\n\r\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\r\n\r\n(CVE-2023-4921)",
+    "cves": [
+      {
+        "id": "CVE-2023-4921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1668": {
+    "id": "openEuler-SA-2022-1668",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1668",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\n\nSecurity Fix(es):\n\nHeap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution.(CVE-2022-1619)\n\nNULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.(CVE-2022-1620)\n\nHeap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.(CVE-2022-1621)\n\nBuffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.(CVE-2022-1629)\n\nNULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.(CVE-2022-1674)",
+    "cves": [
+      {
+        "id": "CVE-2022-1674",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1674",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1320": {
+    "id": "openEuler-SA-2024-1320",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1320",
+    "title": "An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\r\n\r\nSecurity Fix(es):\r\n\r\naiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-27305)",
+    "cves": [
+      {
+        "id": "CVE-2024-27305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27305",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1152": {
+    "id": "openEuler-SA-2024-1152",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1152",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1506": {
+    "id": "openEuler-SA-2024-1506",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1506",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.(CVE-2024-28835)",
+    "cves": [
+      {
+        "id": "CVE-2024-28835",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28835",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1058": {
+    "id": "openEuler-SA-2021-1058",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1058",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nNode.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.(CVE-2020-8287)\r\n\r\nNode.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.(CVE-2020-8265)",
+    "cves": [
+      {
+        "id": "CVE-2020-8265",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8265",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1323": {
+    "id": "openEuler-SA-2023-1323",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1323",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-22998)",
+    "cves": [
+      {
+        "id": "CVE-2023-22998",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22998",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2127": {
+    "id": "openEuler-SA-2022-2127",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2127",
+    "title": "An update for proftpd is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility.\r\n\r\nSecurity Fix(es):\r\n\r\nmod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.(CVE-2021-46854)",
+    "cves": [
+      {
+        "id": "CVE-2021-46854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46854",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1032": {
+    "id": "openEuler-SA-2021-1032",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1032",
+    "title": "An update for varnish is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nAn issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.(CVE-2019-15892)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-15892",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15892",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1144": {
+    "id": "openEuler-SA-2021-1144",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1144",
+    "title": "An update for rubygem-nokogiri is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Nokogiri parses and searches XML/HTML very quickly, and also has correctly implemented CSS3 selector support as well as XPath support. Nokogiri also features an Hpricot compatibility layer to help ease the change to using correct CSS and XPath.\r\n\r\nSecurity Fix(es):\r\n\r\nNokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.(CVE-2020-26247)",
+    "cves": [
+      {
+        "id": "CVE-2020-26247",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26247",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1385": {
+    "id": "openEuler-SA-2024-1385",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1385",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)",
+    "cves": [
+      {
+        "id": "CVE-2023-39325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1091": {
+    "id": "openEuler-SA-2021-1091",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1091",
+    "title": "An update for xterm is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals.\r\n\r\nSecurity Fix(es):\r\n\r\nxterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.(CVE-2021-27135)",
+    "cves": [
+      {
+        "id": "CVE-2021-27135",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27135",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1124": {
+    "id": "openEuler-SA-2021-1124",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1124",
+    "title": "An update for postgresql is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PostgreSQL in versions before 13.2, before 12.6, before 11.11, before 10.16, before 9.6.21 and before 9.5.25. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.(CVE-2021-20229)",
+    "cves": [
+      {
+        "id": "CVE-2021-20229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1569": {
+    "id": "openEuler-SA-2024-1569",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1569",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntun: avoid double free in tun_free_netdev\r\n\r\nAvoid double free in tun_free_netdev() by moving the\ndev->tstats and tun->security allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there's an error in register_netdevice() the destructor\nwill handle the frees.\r\n\r\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\r\n\r\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae(CVE-2021-47082)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1>\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nl2tp: pass correct message length to ip6_append_data\r\n\r\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\r\n\r\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\r\n\r\nHowever, the code which performed the calculation was incorrect:\r\n\r\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\r\n\r\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\r\n\r\nAdd parentheses to correct the calculation in line with the original\nintent.(CVE-2024-26752)",
+    "cves": [
+      {
+        "id": "CVE-2024-26752",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2018": {
+    "id": "openEuler-SA-2022-2018",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2018",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected. This issue has been patched in version 2.8.1. If you cannot upgrade do not use the `/video` switch.(CVE-2022-39283)\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected. Please upgrade to 2.8.1 where this issue is patched. If unable to upgrade, do not use parallel port redirection (`/parallel` command line switch) as a workaround.(CVE-2022-39282)",
+    "cves": [
+      {
+        "id": "CVE-2022-39282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39282",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1074": {
+    "id": "openEuler-SA-2024-1074",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1074",
+    "title": "An update for containernetworking-plugins is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The CNI (Container Network Interface) project consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534)\r\n\r\nMultipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.(CVE-2023-24536)\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)\r\n\r\nTemplates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. \"var a = {{.}}\"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.(CVE-2023-24538)",
+    "cves": [
+      {
+        "id": "CVE-2023-24538",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1703": {
+    "id": "openEuler-SA-2022-1703",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1703",
+    "title": "An update for dpkg is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Dpkg is a tool to install, build, remove and manageDebian packages. The  primary and more user-friendly front-end for dpkg is aptitude.\r\n\r\nSecurity Fix(es):\r\n\r\nDpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.(CVE-2022-1664)",
+    "cves": [
+      {
+        "id": "CVE-2022-1664",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1664",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1544": {
+    "id": "openEuler-SA-2024-1544",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1544",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nnscd: Stack-based buffer overflow in netgroup cache\r\n\r\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow.  This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\n(CVE-2024-33599)\r\n\r\nnscd: Null pointer crashes after notfound response\r\n\r\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference.  This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33600)\r\n\r\nnscd: netgroup cache may terminate daemon on memory allocation failure\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients.  The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33601)\r\n\r\nnscd: netgroup cache assumes NSS callback uses in-buffer strings\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33602)",
+    "cves": [
+      {
+        "id": "CVE-2024-33602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1734": {
+    "id": "openEuler-SA-2022-1734",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1734",
+    "title": "An update for grub2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in grub2 when handling split HTTP headers. While processing a split HTTP header, grub2 wrongly advances its control pointer to the internal buffer by one position, which can lead to an out-of-bounds write. This flaw allows an attacker to leverage this issue by crafting a malicious set of HTTP packages making grub2 corrupt its internal memory metadata structure. This leads to data integrity and confidentiality issues or forces grub to crash, resulting in a denial of service attack.(CVE-2022-28734)\r\n\r\nA use-after-free vulnerability was found on grub2's chainloader command. This flaw allows an attacker to gain access to restricted data or cause arbitrary code execution if they can establish control from grub's memory allocation pattern.(CVE-2022-28736)\r\n\r\nA flaw was found in grub2 when handling JPEG images. This flaw allows an attacker to craft a malicious JPEG image, which leads to an underflow on a grub2's internal pointer, leading to a heap-based out-of-bounds write. Secure-boot mechanisms circumvention and arbitrary code execution may also be achievable.(CVE-2021-3697)\r\n\r\nA flaw was found in grub2 when handling a PNG image header. When decoding the data contained in the Huffman table at the PNG file header, an out-of-bounds write may happen on grub's heap.(CVE-2021-3696)\r\n\r\nA flaw was found in grub2 when handling IPv4 packets. This flaw allows an attacker to craft a malicious packet, triggering an integer underflow in grub code. Consequently, the memory allocation for handling the packet data may be smaller than the size needed. This issue causes an out-of-bands write during packet handling, compromising data integrity, confidentiality issues, a denial of service, and remote code execution.(CVE-2022-28733)\r\n\r\nA flaw was found in grub 2, where a crafted 16-bit grayscale PNG image may lead to an out-of-bounds write. This flaw allows an attacker to corrupt the data on the heap portion of the grub2's memory, leading to possible code execution and the circumvention of the secure boot mechanism.(CVE-2021-3695)\r\n\r\nA flaw was found in grub2. The shim_lock verifier from grub2 allows non-kernel files to be loaded when secure boot is enabled, giving the possibility of unverified code or modules to be loaded when it should not be allowed.\n(CVE-2022-28735)",
+    "cves": [
+      {
+        "id": "CVE-2022-28735",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28735",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1133": {
+    "id": "openEuler-SA-2023-1133",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1133",
+    "title": "An update for rubygem-activerecord is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.(CVE-2022-44566)\r\n\r\nA vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.(CVE-2023-22794)",
+    "cves": [
+      {
+        "id": "CVE-2023-22794",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22794",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1412": {
+    "id": "openEuler-SA-2021-1412",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1412",
+    "title": "An update for python-psutil is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "psutil (process and system utilities) is a cross-platform library for retrieving information on running processes and system utilization (CPU, memory, disks, network, sensors) in Python. It is useful mainly for system monitoring, profiling and limiting process resources and management of running processes.It implements many functionalities offered by classic UNIX command line tools such as ps, top, iotop, lsof, netstat, ifconfig, free and others.\r\n\r\nSecurity Fix(es):\r\n\r\npsutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.(CVE-2019-18874)",
+    "cves": [
+      {
+        "id": "CVE-2019-18874",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18874",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1783": {
+    "id": "openEuler-SA-2022-1783",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1783",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nWhen httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.(CVE-2022-32148)\n\nCalling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.(CVE-2022-30635)\n\nInfinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. (CVE-2022-30634)\n\nCalling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.(CVE-2022-30633)\n\nCalling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.(CVE-2022-30632)\n\nCalling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.(CVE-2022-30631)\n\nAs required by RFC 8446, section 4.6.1, ticket_age_add now holds arandom 32-bit value. Before this change, this value was always setto 0.(CVE-2022-30629)\n\nCalling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.(CVE-2022-28131)\n\nCalling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.(CVE-2022-1962)\n\nThe HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a chunked encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.(CVE-2022-1705)",
+    "cves": [
+      {
+        "id": "CVE-2022-1705",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1705",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1094": {
+    "id": "openEuler-SA-2023-1094",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1094",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\r\n\r\nSecurity Fix(es):\r\n\r\nCrash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows(CVE-2022-3724)\r\n\r\nMemory exhaustion in the Kafka protocol dissector in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file(CVE-2022-4344)\r\n\r\nInfinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file(CVE-2022-4345)\r\n\r\nDissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0413)\r\n\r\nMemory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0417)\r\n\r\niSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0415)\r\n\r\nExcessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0411)\r\n\r\nTIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0412)\r\n\r\nGNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file(CVE-2023-0416)",
+    "cves": [
+      {
+        "id": "CVE-2023-0416",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0416",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1701": {
+    "id": "openEuler-SA-2024-1701",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1701",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n(CVE-2024-28180)",
+    "cves": [
+      {
+        "id": "CVE-2024-28180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2142": {
+    "id": "openEuler-SA-2022-2142",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2142",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.(CVE-2022-4129)",
+    "cves": [
+      {
+        "id": "CVE-2022-4129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1384": {
+    "id": "openEuler-SA-2023-1384",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1384",
+    "title": "An update for bind is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server\r\n\r\nSecurity Fix(es):\r\n\r\nEvery `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.\r\n\r\nIt has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.(CVE-2023-2828)",
+    "cves": [
+      {
+        "id": "CVE-2023-2828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2828",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1485": {
+    "id": "openEuler-SA-2023-1485",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1485",
+    "title": "An update for sqlite is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nsqlite3 v3.40.1 was discovered to contain a segmentation violation at /sqlite3_aflpp/shell.c.(CVE-2023-36191)",
+    "cves": [
+      {
+        "id": "CVE-2023-36191",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36191",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1776": {
+    "id": "openEuler-SA-2022-1776",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1776",
+    "title": "An update for virglrenderer is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The virgil3d rendering library is a library used by qemu to implement 3D GPU support for the virtio GPU.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2022-0175)",
+    "cves": [
+      {
+        "id": "CVE-2022-0175",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0175",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1529": {
+    "id": "openEuler-SA-2023-1529",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1529",
+    "title": "An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing.\n\nSecurity Fix(es):\n\nAll versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.(CVE-2022-24439)\n\nGitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.(CVE-2023-40267)",
+    "cves": [
+      {
+        "id": "CVE-2023-40267",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40267",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1705": {
+    "id": "openEuler-SA-2023-1705",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1705",
+    "title": "An update for cups is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n(CVE-2023-4504)",
+    "cves": [
+      {
+        "id": "CVE-2023-4504",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1275": {
+    "id": "openEuler-SA-2021-1275",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1275",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nApache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.(CVE-2021-33037)",
+    "cves": [
+      {
+        "id": "CVE-2021-33037",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33037",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1068": {
+    "id": "openEuler-SA-2024-1068",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1068",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.(CVE-2023-51782)\r\n\r\nA memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.(CVE-2023-7192)",
+    "cves": [
+      {
+        "id": "CVE-2023-7192",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1276": {
+    "id": "openEuler-SA-2023-1276",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1276",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThe specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2007)\r\n\r\nA null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.(CVE-2023-2177)\r\n\r\nA vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.(CVE-2023-2176)\r\n\r\nAn out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.(CVE-2023-2194)\r\n\r\nA denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.(CVE-2023-2269)\r\n\r\nqfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.(CVE-2023-31436)",
+    "cves": [
+      {
+        "id": "CVE-2023-31436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2001": {
+    "id": "openEuler-SA-2022-2001",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2001",
+    "title": "An update for dbus is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.(CVE-2022-42010)\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.(CVE-2022-42011)\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.(CVE-2022-42012)",
+    "cves": [
+      {
+        "id": "CVE-2022-42012",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1893": {
+    "id": "openEuler-SA-2022-1893",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1893",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.(CVE-2022-1462)\r\n\r\nDm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5(CVE-2022-2503)\r\n\r\nA race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.(CVE-2022-2959)\r\n\r\nA flaw was found in the kernels implementation of proxied virtualized TPM devices.  On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f(CVE-2022-2977)\r\n\r\nThe linux kernels driver for the \"ASIX AX88179_178A based USB 2.0/3.0 Gigabit Ethernet Devices\" contains multiple out-of-bounds reads and possible writes in the ax88179_rx_fixup() function. \r\n\r\n\nReferences:\r\n\r\nhttps://www.spinics.net/lists/stable/msg536418.html\r\n\r\nUpstream commit:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581(CVE-2022-2964)\r\n\r\nA race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.(CVE-2022-3028)",
+    "cves": [
+      {
+        "id": "CVE-2022-3028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1279": {
+    "id": "openEuler-SA-2023-1279",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1279",
+    "title": "An update for python-sqlparse is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": " sqlparse is a non-validating SQL parser module. It provides support for parsing, splitting and formatting SQL statements.\r\n\r\nSecurity Fix(es):\r\n\r\nsqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.\n(CVE-2023-30608)",
+    "cves": [
+      {
+        "id": "CVE-2023-30608",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30608",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2157": {
+    "id": "openEuler-SA-2022-2157",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2157",
+    "title": "An update for libksba is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Libksba is a library to make the tasks of working with X.509 certificates,CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.\r\n\r\nSecurity Fix(es):\r\n\r\nLibksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.(CVE-2022-47629)",
+    "cves": [
+      {
+        "id": "CVE-2022-47629",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47629",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1399": {
+    "id": "openEuler-SA-2023-1399",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1399",
+    "title": "An update for librabbitmq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is a C-language AMQP client library for use with AMQP servers speaking protocol versions 0-9-1.\n\nSecurity Fix(es):\n\nAn issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.(CVE-2023-35789)",
+    "cves": [
+      {
+        "id": "CVE-2023-35789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35789",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1503": {
+    "id": "openEuler-SA-2022-1503",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1503",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "System and Service Manager.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.(CVE-2021-3997)",
+    "cves": [
+      {
+        "id": "CVE-2021-3997",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3997",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1120": {
+    "id": "openEuler-SA-2023-1120",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1120",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.(CVE-2023-22490)\r\n\r\nGit, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.(CVE-2023-23946)",
+    "cves": [
+      {
+        "id": "CVE-2023-23946",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23946",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1292": {
+    "id": "openEuler-SA-2023-1292",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1292",
+    "title": "An update for ntp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "NTP is a protocol designed to synchronize the clocks of computers over a network, NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF.\r\n\r\nSecurity Fix(es):\r\n\r\npraecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-of-bounds write. Any attack method would be complex, e.g., with a manipulated GPS receiver.(CVE-2023-26555)",
+    "cves": [
+      {
+        "id": "CVE-2023-26555",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26555",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1235": {
+    "id": "openEuler-SA-2024-1235",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1235",
+    "title": "An update for xerces-c is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311)",
+    "cves": [
+      {
+        "id": "CVE-2018-1311",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2146": {
+    "id": "openEuler-SA-2022-2146",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2146",
+    "title": "An update for sqlite is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nSQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.(CVE-2022-46908)",
+    "cves": [
+      {
+        "id": "CVE-2022-46908",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46908",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1762": {
+    "id": "openEuler-SA-2024-1762",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1762",
+    "title": "An update for rubygem-activesupport is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1212": {
+    "id": "openEuler-SA-2024-1212",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1212",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.(CVE-2022-3479)",
+    "cves": [
+      {
+        "id": "CVE-2022-3479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1529": {
+    "id": "openEuler-SA-2024-1529",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1529",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1504": {
+    "id": "openEuler-SA-2023-1504",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1504",
+    "title": "An update for bouncycastle is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.\r\n\r\nSecurity Fix(es):\r\n\r\nBouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.(CVE-2023-33201)",
+    "cves": [
+      {
+        "id": "CVE-2023-33201",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1126": {
+    "id": "openEuler-SA-2021-1126",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1126",
+    "title": "An update for python-httplib2 is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "httplib2 is a comprehensive HTTP client library, httplib2.py supports many features left out of other HTTP libraries.\r\n\r\nSecurity Fix(es):\r\n\r\nhttplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.(CVE-2021-21240)",
+    "cves": [
+      {
+        "id": "CVE-2021-21240",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21240",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1160": {
+    "id": "openEuler-SA-2024-1160",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1160",
+    "title": "An update for xerces-c is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311)",
+    "cves": [
+      {
+        "id": "CVE-2018-1311",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1367": {
+    "id": "openEuler-SA-2021-1367",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1367",
+    "title": "An update for haproxy is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.(CVE-2021-40346)",
+    "cves": [
+      {
+        "id": "CVE-2021-40346",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40346",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1313": {
+    "id": "openEuler-SA-2024-1313",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1313",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019)\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.(CVE-2023-6683)\r\n\r\nA stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.(CVE-2023-6693)",
+    "cves": [
+      {
+        "id": "CVE-2023-6693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1131": {
+    "id": "openEuler-SA-2024-1131",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1131",
+    "title": "An update for yasm is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\r\n\r\nSecurity Fix(es):\r\n\r\nyasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975)",
+    "cves": [
+      {
+        "id": "CVE-2023-31975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1780": {
+    "id": "openEuler-SA-2023-1780",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1780",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().(CVE-2022-44033)\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.(CVE-2022-45919)\r\n\r\nAn issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.(CVE-2023-31083)\r\n\r\nAn issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.(CVE-2023-31085)\r\n\r\nClosing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable.\nA (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device.(CVE-2023-34324)\r\n\r\nA flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194)\r\n\r\nAn issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.(CVE-2023-45863)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\r\n\r\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\r\n\r\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\r\n\r\n(CVE-2023-5717)",
+    "cves": [
+      {
+        "id": "CVE-2023-5717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1252": {
+    "id": "openEuler-SA-2023-1252",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1252",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).(CVE-2022-36280)\r\n\r\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.(CVE-2022-27672)\r\n\r\nAn issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.(CVE-2023-30456)\r\n\r\nA use-after-free flaw was found in btsdio_remove in drivers\\bluetooth\\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.(CVE-2023-1989)\r\n\r\nA use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\r\n\r\n(CVE-2023-1829)",
+    "cves": [
+      {
+        "id": "CVE-2023-1829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1829",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1744": {
+    "id": "openEuler-SA-2022-1744",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1744",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in curl. This issue occurs because it mishandles message verification failures when curl does FTP transfers secured by krb5. This flaw makes it possible for a Man-in-the-middle attack to go unnoticed and allows data injection into the client.(CVE-2022-32208)\r\n\r\nA vulnerability was found in curl. This issue occurs because the number of acceptable \"links\" in the \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor.(CVE-2022-32206)\r\n\r\nA vulnerability was found in curl. This issue occurs because when curl saves cookies, alt-svc, and HSTS data to local files, it makes the operation atomic by finalizing the process with a rename from a temporary name to the final target file name. This flaw leads to unpreserved file permissions, either by mistake or by a malicious actor.(CVE-2022-32207)\r\n\r\nA vulnerability was found in curl. This issue occurs because a malicious server can serve excessive amounts of `Set-Cookie:` headers in an HTTP response to curl, which stores all of them. This flaw leads to a denial of service, either by mistake or by a malicious actor.(CVE-2022-32205)",
+    "cves": [
+      {
+        "id": "CVE-2022-32205",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32205",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1105": {
+    "id": "openEuler-SA-2023-1105",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1105",
+    "title": "An update for apr-util is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.(CVE-2022-25147)",
+    "cves": [
+      {
+        "id": "CVE-2022-25147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25147",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1444": {
+    "id": "openEuler-SA-2024-1444",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1444",
+    "title": "An update for libgsasl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The library includes support for the SASL framework and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, and NTLM mechanisms.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469)",
+    "cves": [
+      {
+        "id": "CVE-2022-2469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1300": {
+    "id": "openEuler-SA-2024-1300",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1300",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix deadlock when cloning inline extents and using qgroups\r\n\r\nThere are a few exceptional cases where cloning an inline extent needs to\ncopy the inline extent data into a page of the destination inode.\r\n\r\nWhen this happens, we end up starting a transaction while having a dirty\npage for the destination inode and while having the range locked in the\ndestination's inode iotree too. Because when reserving metadata space\nfor a transaction we may need to flush existing delalloc in case there is\nnot enough free space, we have a mechanism in place to prevent a deadlock,\nwhich was introduced in commit 3d45f221ce627d (\"btrfs: fix deadlock when\ncloning inline extent and low on free metadata space\").\r\n\r\nHowever when using qgroups, a transaction also reserves metadata qgroup\nspace, which can also result in flushing delalloc in case there is not\nenough available space at the moment. When this happens we deadlock, since\nflushing delalloc requires locking the file range in the inode's iotree\nand the range was already locked at the very beginning of the clone\noperation, before attempting to start the transaction.\r\n\r\nWhen this issue happens, stack traces like the following are reported:\r\n\r\n  [72747.556262] task:kworker/u81:9   state:D stack:    0 pid:  225 ppid:     2 flags:0x00004000\n  [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)\n  [72747.556271] Call Trace:\n  [72747.556273]  __schedule+0x296/0x760\n  [72747.556277]  schedule+0x3c/0xa0\n  [72747.556279]  io_schedule+0x12/0x40\n  [72747.556284]  __lock_page+0x13c/0x280\n  [72747.556287]  ? generic_file_readonly_mmap+0x70/0x70\n  [72747.556325]  extent_write_cache_pages+0x22a/0x440 [btrfs]\n  [72747.556331]  ? __set_page_dirty_nobuffers+0xe7/0x160\n  [72747.556358]  ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]\n  [72747.556362]  ? update_group_capacity+0x25/0x210\n  [72747.556366]  ? cpumask_next_and+0x1a/0x20\n  [72747.556391]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.556394]  do_writepages+0x41/0xd0\n  [72747.556398]  __writeback_single_inode+0x39/0x2a0\n  [72747.556403]  writeback_sb_inodes+0x1ea/0x440\n  [72747.556407]  __writeback_inodes_wb+0x5f/0xc0\n  [72747.556410]  wb_writeback+0x235/0x2b0\n  [72747.556414]  ? get_nr_inodes+0x35/0x50\n  [72747.556417]  wb_workfn+0x354/0x490\n  [72747.556420]  ? newidle_balance+0x2c5/0x3e0\n  [72747.556424]  process_one_work+0x1aa/0x340\n  [72747.556426]  worker_thread+0x30/0x390\n  [72747.556429]  ? create_worker+0x1a0/0x1a0\n  [72747.556432]  kthread+0x116/0x130\n  [72747.556435]  ? kthread_park+0x80/0x80\n  [72747.556438]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n  [72747.566961] Call Trace:\n  [72747.566964]  __schedule+0x296/0x760\n  [72747.566968]  ? finish_wait+0x80/0x80\n  [72747.566970]  schedule+0x3c/0xa0\n  [72747.566995]  wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]\n  [72747.566999]  ? finish_wait+0x80/0x80\n  [72747.567024]  lock_extent_bits+0x37/0x90 [btrfs]\n  [72747.567047]  btrfs_invalidatepage+0x299/0x2c0 [btrfs]\n  [72747.567051]  ? find_get_pages_range_tag+0x2cd/0x380\n  [72747.567076]  __extent_writepage+0x203/0x320 [btrfs]\n  [72747.567102]  extent_write_cache_pages+0x2bb/0x440 [btrfs]\n  [72747.567106]  ? update_load_avg+0x7e/0x5f0\n  [72747.567109]  ? enqueue_entity+0xf4/0x6f0\n  [72747.567134]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.567137]  ? enqueue_task_fair+0x93/0x6f0\n  [72747.567140]  do_writepages+0x41/0xd0\n  [72747.567144]  __filemap_fdatawrite_range+0xc7/0x100\n  [72747.567167]  btrfs_run_delalloc_work+0x17/0x40 [btrfs]\n  [72747.567195]  btrfs_work_helper+0xc2/0x300 [btrfs]\n  [72747.567200]  process_one_work+0x1aa/0x340\n  [72747.567202]  worker_thread+0x30/0x390\n  [72747.567205]  ? create_worker+0x1a0/0x1a0\n  [72747.567208]  kthread+0x116/0x130\n  [72747.567211]  ? kthread_park+0x80/0x80\n  [72747.567214]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.569686] task:fsstress        state:D stack:    \n---truncated---(CVE-2021-46987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Defer the free of inner map when necessary\r\n\r\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\r\n\r\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.(CVE-2023-52447)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\r\n\r\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump().  This can happen when creating\nrgd->rd_gl fails in read_rindex_entry().  Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.(CVE-2023-52448)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\r\n\r\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\r\n\r\nubi_gluebi_init\n  ubi_register_volume_notifier\n    ubi_enumerate_volumes\n      ubi_notify_all\n        gluebi_notify    nb->notifier_call()\n          gluebi_create\n            mtd_device_register\n              mtd_device_parse_register\n                add_mtd_device\n                  blktrans_notify_add   not->add()\n                    ftl_add_mtd         tr->add_mtd()\n                      scan_header\n                        mtd_read\n                          mtd_read_oob\n                            mtd_read_oob_std\n                              gluebi_read   mtd->read()\n                                gluebi->desc - NULL\r\n\r\nDetailed reproduction information available at the Link [1],\r\n\r\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\r\n\r\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.(CVE-2023-52449)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix accesses to uninit stack slots\r\n\r\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\r\n\r\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\r\n\r\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\r\n\r\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\r\n\r\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.(CVE-2023-52452)",
+    "cves": [
+      {
+        "id": "CVE-2023-52452",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1772": {
+    "id": "openEuler-SA-2023-1772",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1772",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n(CVE-2023-3592)\r\n\r\nIn Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\r\n\r\n\n(CVE-2023-5632)",
+    "cves": [
+      {
+        "id": "CVE-2023-5632",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5632",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1363": {
+    "id": "openEuler-SA-2021-1363",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1363",
+    "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a flaw in the opj2_compress program in openjpeg2. An attacker who is able to submit a large number of image files to be processed in a directory by opj2_compress, could trigger a heap out-of-bounds write due to an integer overflow, which is caused by the large number of image files. The greatest threat posed by this flaw is to confidentiality, integrity, and availability.(CVE-2021-29338)",
+    "cves": [
+      {
+        "id": "CVE-2021-29338",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29338",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1144": {
+    "id": "openEuler-SA-2024-1144",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1144",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.(CVE-2023-51043)\r\n\r\nA use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.(CVE-2023-6531)\r\n\r\nA Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.(CVE-2023-6915)",
+    "cves": [
+      {
+        "id": "CVE-2023-6915",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1286": {
+    "id": "openEuler-SA-2024-1286",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1286",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio: Fix use-after-free in uio_open\r\n\r\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\r\n\r\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\r\n\r\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.(CVE-2023-52439)\r\n\r\nNULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\r\n\r\nThis issue affects Linux kernel: v2.6.12-rc2.\r\n\r\n(CVE-2024-22099)\r\n\r\nIn btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.(CVE-2024-23850)\r\n\r\ncopy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.(CVE-2024-23851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between async notify and socket close\r\n\r\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\r\n\r\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\r\n\r\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.(CVE-2024-26583)",
+    "cves": [
+      {
+        "id": "CVE-2024-26583",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1097": {
+    "id": "openEuler-SA-2021-1097",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1097",
+    "title": "An update for apr is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.(CVE-2017-12613)",
+    "cves": [
+      {
+        "id": "CVE-2017-12613",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12613",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1931": {
+    "id": "openEuler-SA-2023-1931",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1931",
+    "title": "An update for sox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to crash.(CVE-2021-23159)\r\n\r\nA vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a crafted hcomn file, that could cause an application to crash.(CVE-2021-23172)\r\n\r\nA floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash.(CVE-2021-23210)\r\n\r\nA floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash.(CVE-2021-33844)\r\n\r\nA floating point exception vulnerability was found in sox, in the lsx_aiffstartwrite function at sox/src/aiff.c:622:58. This flaw can lead to a denial of service.(CVE-2023-26590)\r\n\r\nA floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service.(CVE-2023-32627)\r\n\r\nA heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure.(CVE-2023-34318)\r\n\r\nA heap buffer overflow vulnerability was found in sox, in the lsx_readbuf function at sox/src/formats_i.c:98:16. This flaw can lead to a denial of service, code execution, or information disclosure.(CVE-2023-34432)",
+    "cves": [
+      {
+        "id": "CVE-2023-34432",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34432",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1133": {
+    "id": "openEuler-SA-2021-1133",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1133",
+    "title": "An update for wpa_supplicant is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop/laptop computers and embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.(CVE-2021-27803)",
+    "cves": [
+      {
+        "id": "CVE-2021-27803",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27803",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1735": {
+    "id": "openEuler-SA-2022-1735",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1735",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nMaxQueryDuration not honoured in Samba AD DC LDAP(CVE-2021-3670)",
+    "cves": [
+      {
+        "id": "CVE-2021-3670",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3670",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1110": {
+    "id": "openEuler-SA-2021-1110",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1110",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27763)\r\n\r\nA flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27773)\r\n\r\nThe PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. The patch adds 256 to bytes_per_row in the call to AcquireQuantumMemory(). This could cause impact to reliability. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-25665)\r\n\r\nWriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. The patch replaces the hardcoded 256 value with a call to MagickMin() to ensure the proper value is used. This could impact application availability when a specially crafted input file is processed by ImageMagick. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-25674)\r\n\r\nA flaw was found in ImageMagick in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` and math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27750)\r\n\r\nA divide-by-zero flaw was found in ImageMagick 6.9.11-57 and 7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file that is processed by ImageMagick to trigger undefined behavior through a division by zero. The highest threat from this vulnerability is to system availability.(CVE-2021-20176)\r\n\r\nIn ImageMagick, there is an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27768)\r\n\r\nA flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.(CVE-2021-20241)\r\n\r\nA flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.(CVE-2021-20243)\r\n\r\nA flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.(CVE-2021-20244)\r\n\r\nA flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.(CVE-2021-20246)",
+    "cves": [
+      {
+        "id": "CVE-2021-20246",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20246",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1406": {
+    "id": "openEuler-SA-2021-1406",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1406",
+    "title": "An update for icu is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Tools and utilities for developing with icu.\r\n\r\nSecurity Fix(es):\r\n\r\nInternational Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.(CVE-2020-21913)",
+    "cves": [
+      {
+        "id": "CVE-2020-21913",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21913",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1896": {
+    "id": "openEuler-SA-2022-1896",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1896",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.(CVE-2022-2719)",
+    "cves": [
+      {
+        "id": "CVE-2022-2719",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2719",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1661": {
+    "id": "openEuler-SA-2024-1661",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1661",
+    "title": "An update for cockpit is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse. It’s easy to start containers, administer storage, configure networks, and inspect logs with this package.\r\n\r\nSecurity Fix(es):\r\n\r\nAn SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states \"I don't think [it] is a big real-life issue.(CVE-2020-35850)",
+    "cves": [
+      {
+        "id": "CVE-2020-35850",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35850",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1596": {
+    "id": "openEuler-SA-2023-1596",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1596",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064)",
+    "cves": [
+      {
+        "id": "CVE-2022-48064",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48064",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1891": {
+    "id": "openEuler-SA-2022-1891",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1891",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2021-3975)",
+    "cves": [
+      {
+        "id": "CVE-2021-3975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3975",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2042": {
+    "id": "openEuler-SA-2022-2042",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2042",
+    "title": "An update for multipath-tools is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This package provides the multipath tool and the multipathd daemon to manage dm-multipath devices. multipath can detect and set up multipath maps. multipathd sets up multipath maps automatically,monitors path devices for failure, removal, or addition, and applies the necessary changes to the multipath maps to ensure continuous availability of the map devices.\r\n\r\nSecurity Fix(es):\r\n\r\nmultipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.(CVE-2022-41973)",
+    "cves": [
+      {
+        "id": "CVE-2022-41973",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41973",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1015": {
+    "id": "openEuler-SA-2024-1015",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1015",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.(CVE-2023-46137)",
+    "cves": [
+      {
+        "id": "CVE-2023-46137",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1973": {
+    "id": "openEuler-SA-2022-1973",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1973",
+    "title": "An update for deltarpm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Delta RPM packages contain the difference between an old and a new version of an RPM package. Applying a delta RPM on an old RPM results in the complete new RPM. It is not necessary to have a copy of the old RPM, because a delta RPM can also work with an installed RPM.\r\n\r\nSecurity Fix(es):\r\n\r\nzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434)",
+    "cves": [
+      {
+        "id": "CVE-2022-37434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1749": {
+    "id": "openEuler-SA-2024-1749",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1749",
+    "title": "An update for python-lxml is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. \\ It is unique in that it combines the speed and XML feature completeness of these libraries with \\ the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. \\ The latest release works with all CPython versions from 2.7 to 3.7.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.(CVE-2024-37388)",
+    "cves": [
+      {
+        "id": "CVE-2024-37388",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37388",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1286": {
+    "id": "openEuler-SA-2023-1286",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1286",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.(CVE-2023-31047)",
+    "cves": [
+      {
+        "id": "CVE-2023-31047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1566": {
+    "id": "openEuler-SA-2023-1566",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1566",
+    "title": "An update for php is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress \"quines\" gzip files, resulting in an infinite loop.(CVE-2022-31628)",
+    "cves": [
+      {
+        "id": "CVE-2022-31628",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31628",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1657": {
+    "id": "openEuler-SA-2024-1657",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1657",
+    "title": "An update for youker-assistant is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Integrated tool to aid in routine system maintenance tasks Kylin Assistant is a tool designed to help Ubuntu and Ubuntu Kylin desktop users manage and maintain many aspects of their working environment conveniently in a single application, providing a consistent user experience.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS. Affected by this vulnerability is the function adjust_cpufreq_scaling_governer. The manipulation leads to os command injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.4.13 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226099.(CVE-2023-2091)",
+    "cves": [
+      {
+        "id": "CVE-2023-2091",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2091",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1588": {
+    "id": "openEuler-SA-2024-1588",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1588",
+    "title": "An update for engrampa is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Mate File Archiver is an application for creating and viewing archives files, such as zip, xv, bzip2, cab, rar and other compress formats.\r\n\r\nSecurity Fix(es):\r\n\r\nEngrampa is an archive manager for the MATE environment. Engrampa is found to be vulnerable to a Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution (RCE) on the target. While handling CPIO archives, the Engrampa Archive manager follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio or ISO archive to achieve RCE on the target system. This vulnerability was fixed in commit 63d5dfa.\n(CVE-2023-52138)",
+    "cves": [
+      {
+        "id": "CVE-2023-52138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52138",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1450": {
+    "id": "openEuler-SA-2024-1450",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1450",
+    "title": "An update for LibRaw is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.(CVE-2021-32142)",
+    "cves": [
+      {
+        "id": "CVE-2021-32142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1258": {
+    "id": "openEuler-SA-2023-1258",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1258",
+    "title": "An update for shadow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This package includes the necessary programs for converting plain password files to the shadow password format and to manage user and group accounts.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.(CVE-2023-29383)",
+    "cves": [
+      {
+        "id": "CVE-2023-29383",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29383",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1290": {
+    "id": "openEuler-SA-2021-1290",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1290",
+    "title": "An update for aspell is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "GNU Aspell is a spell checker intended to replace Ispell. It can be used as a library and spell checker. Its main feature is that it provides much better suggestions than other inspectors, including Ispell and Microsoft Word. It also has many other technical enhancements to Ispell, such as the use of shared memory to store dictionaries, and intelligent processing of personal dictionaries when multiple Aspell processes are opened at one time.\r\n\r\nSecurity Fix(es):\r\n\r\nlibaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over-read in acommon::unescape in common/getdata.cpp via an isolated \\ character.(CVE-2019-17544)",
+    "cves": [
+      {
+        "id": "CVE-2019-17544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17544",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1971": {
+    "id": "openEuler-SA-2022-1971",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1971",
+    "title": "An update for python-oauthlib is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nOAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.(CVE-2022-36087)",
+    "cves": [
+      {
+        "id": "CVE-2022-36087",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36087",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2119": {
+    "id": "openEuler-SA-2022-2119",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2119",
+    "title": "An update for apache-sshd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\r\n\r\nSecurity Fix(es):\r\n\r\nClass org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.(CVE-2022-45047)",
+    "cves": [
+      {
+        "id": "CVE-2022-45047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1728": {
+    "id": "openEuler-SA-2022-1728",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1728",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nLibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.(CVE-2022-1623)\r\n\r\nLibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.(CVE-2022-1622)",
+    "cves": [
+      {
+        "id": "CVE-2022-1622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1622",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1664": {
+    "id": "openEuler-SA-2024-1664",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1664",
+    "title": "An update for giflib is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633)",
+    "cves": [
+      {
+        "id": "CVE-2021-40633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1992": {
+    "id": "openEuler-SA-2023-1992",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1992",
+    "title": "An update for tar is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service.(CVE-2023-39804)",
+    "cves": [
+      {
+        "id": "CVE-2023-39804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1931": {
+    "id": "openEuler-SA-2022-1931",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1931",
+    "title": "An update for mailman is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mailman is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.(CVE-2021-43332)\r\n\r\nIn GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user options page can execute arbitrary JavaScript for XSS.(CVE-2021-43331)\r\n\r\nIn GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.(CVE-2021-44227)",
+    "cves": [
+      {
+        "id": "CVE-2021-44227",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44227",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1816": {
+    "id": "openEuler-SA-2023-1816",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1816",
+    "title": "An update for zziplib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The zziplib is a lightweight library to easily extract data from zip files. Applications can bundle files into a single zip archive and access them. The implementation is based only on the (free) subset of compression with the zlib algorithm which is actually used by the zip/unzip tools.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service.(CVE-2020-18770)",
+    "cves": [
+      {
+        "id": "CVE-2020-18770",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18770",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1763": {
+    "id": "openEuler-SA-2023-1763",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1763",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nIn FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2.(CVE-2020-4030)",
+    "cves": [
+      {
+        "id": "CVE-2020-4030",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4030",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1951": {
+    "id": "openEuler-SA-2023-1951",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1951",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.(CVE-2023-6377)\r\n\r\nA flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.(CVE-2023-6478)",
+    "cves": [
+      {
+        "id": "CVE-2023-6478",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6478",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2163": {
+    "id": "openEuler-SA-2022-2163",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2163",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Xephyr is an X server which has been implemented as an ordinary X application.  It runs in a window just like other X applications,but it is an X server itself in which you can run other software.  It is a very useful tool for developers who wish to test their applications without running them on their real X server.  Unlike Xnest, Xephyr renders to an X image rather than relaying the X protocol, and therefore supports the newer X extensions like Render and Composite.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in X.Org. This security flaw occurs because the handler for the XvdiSelectVideoNotify request may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X se(CVE-2022-46342)\r\n\r\nA vulnerability was found in X.Org. This security flaw occurs because the handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.(CVE-2022-46344)\r\n\r\nA vulnerability was found in X.Org. This security flaw occurs becuase the swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. This issue does not affect systems where client and server use the same byte order.(CVE-2022-46340)\r\n\r\nA vulnerability was found in X.Org. This security flaw occurs because the handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.(CVE-2022-46341)\r\n\r\nA vulnerability was found in X.Org. This security flaw occurs because the handler for the ScreenSaverSetAttributes request may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.(CVE-2022-46343)\r\n\r\nA vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.(CVE-2022-4283)",
+    "cves": [
+      {
+        "id": "CVE-2022-4283",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4283",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1212": {
+    "id": "openEuler-SA-2021-1212",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1212",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet PrintingProtocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nA Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions.(CVE-2021-25317)",
+    "cves": [
+      {
+        "id": "CVE-2021-25317",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25317",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1344": {
+    "id": "openEuler-SA-2023-1344",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1344",
+    "title": "An update for libcap is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.(CVE-2023-2603)",
+    "cves": [
+      {
+        "id": "CVE-2023-2603",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1795": {
+    "id": "openEuler-SA-2023-1795",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1795",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.(CVE-2023-5367)\r\n\r\nA use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.(CVE-2023-5380)",
+    "cves": [
+      {
+        "id": "CVE-2023-5380",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5380",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1800": {
+    "id": "openEuler-SA-2024-1800",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1800",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrusted user input, malicious code could be executed.(CVE-2023-28120)",
+    "cves": [
+      {
+        "id": "CVE-2023-28120",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28120",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1395": {
+    "id": "openEuler-SA-2024-1395",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1395",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: intel-sdw-acpi: harden detection of controller\r\n\r\nThe existing code currently sets a pointer to an ACPI handle before\nchecking that it's actually a SoundWire controller. This can lead to\nissues where the graph walk continues and eventually fails, but the\npointer was set already.\r\n\r\nThis patch changes the logic so that the information provided to\nthe caller is set when a controller is found.(CVE-2021-46926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: q6afe-clocks: fix reprobing of the driver\r\n\r\nQ6afe-clocks driver can get reprobed. For example if the APR services\nare restarted after the firmware crash. However currently Q6afe-clocks\ndriver will oops because hw.init will get cleared during first _probe\ncall. Rewrite the driver to fill the clock data at runtime rather than\nusing big static array of clocks.(CVE-2021-47037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\napparmor: avoid crash when parsed profile name is empty\r\n\r\nWhen processing a packed profile in unpack_profile() described like\r\n\r\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\r\n\r\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\r\n\r\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\r\n\r\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\r\n\r\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\r\n\r\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2023-52443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\r\n\r\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\r\n\r\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n  process_one_work+0x174/0x3c8\n  worker_thread+0x2d0/0x3e8\n  kthread+0x104/0x110\r\n\r\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().(CVE-2023-52454)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: imx: fix tx statemachine deadlock\r\n\r\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\r\n\r\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.(CVE-2023-52456)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52467)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\r\n\r\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\r\n\r\nkv_parse_power_table\n  |-> kv_dpm_init\n        |-> kv_dpm_sw_init\n\t      |-> kv_dpm_fini\r\n\r\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/lbr: Filter vsyscall addresses\r\n\r\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\r\n\r\n    __insn_get_emulate_prefix()\n    insn_get_emulate_prefix()\n    insn_get_prefixes()\n    insn_get_opcode()\n    decode_branch_type()\n    get_branch_type()\n    intel_pmu_lbr_filter()\n    intel_pmu_handle_irq()\n    perf_event_nmi_handler()\r\n\r\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\r\n\r\n    peek_nbyte_next(insn_byte_t, insn, i)\r\n\r\nWithin this macro, this dereference occurs:\r\n\r\n    (insn)->next_byte\r\n\r\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\r\n\r\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.(CVE-2023-52476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix uaf in smb20_oplock_break_ack\r\n\r\ndrop reference after use opinfo.(CVE-2023-52479)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\r\n\r\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\r\n\r\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\r\n\r\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\r\n\r\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.(CVE-2023-52484)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between tx work scheduling and socket close\r\n\r\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.(CVE-2024-26585)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\r\n\r\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\r\n\r\nThe following prog is accepted:\r\n\r\n  func#0 @0\n  0: R1=ctx() R10=fp0\n  0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()\n  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()\n  2: (b7) r8 = 1024                     ; R8_w=1024\n  3: (37) r8 /= 1                       ; R8_w=scalar()\n  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,\n  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n  5: (0f) r7 += r8\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n  var_off=(0x0; 0x400))\n  6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()\n  7: (95) exit\r\n\r\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\r\n\r\n  BUG: unable to handle page fault for address: ffffc90014c80038\n  [...]\n  Call Trace:\n   <TASK>\n   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n   __bpf_prog_run include/linux/filter.h:651 [inline]\n   bpf_prog_run include/linux/filter.h:658 [inline]\n   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".(CVE-2024-26589)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: i801: Fix block process call transactions\r\n\r\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\r\n\r\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.(CVE-2024-26593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\r\n\r\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\r\n\r\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n                                                 ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\r\n\r\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\r\n\r\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\r\n\r\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\r\n\r\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\r\n\r\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\r\n\r\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n   fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n   the buffer required by xrstor is accessible.\r\n\r\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\r\n\r\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\r\n\r\n[ dhansen: tweak subject / changelog ](CVE-2024-26603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: signal epoll threads of self-work\r\n\r\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\r\n\r\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.(CVE-2024-26606)",
+    "cves": [
+      {
+        "id": "CVE-2024-26606",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1419": {
+    "id": "openEuler-SA-2024-1419",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1419",
+    "title": "An update for libdwarf is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002)",
+    "cves": [
+      {
+        "id": "CVE-2024-2002",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2118": {
+    "id": "openEuler-SA-2022-2118",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2118",
+    "title": "An update for grub2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.Briefly, a boot loader is the first software program that runs when a computer starts. It is responsible for loading and transferring control to the operating system kernel software (such as the Hurd or Linux). The kernel, in turn, initializes the rest of the operating system (e.g. GNU).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found where a maliciously crafted pf2 font could lead to an out-of-bounds write in grub2. A successful attack can lead to memory corruption and secure boot circumvention.(CVE-2022-2601)\r\n\r\nA flaw was found in the grub2 font code. When rendering certain unicode sequences, it fails to properly validate the font width and height. These values are further used to access the font buffer, causing possible out-of-bounds writes. A malicious actor may craft a font capable of triggering this issue, allowing modifications in unauthorized memory segments, causing data integrity problems or leading to denial of service.(CVE-2022-3775)",
+    "cves": [
+      {
+        "id": "CVE-2022-3775",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3775",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2075": {
+    "id": "openEuler-SA-2022-2075",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2075",
+    "title": "An update for freetds is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "FreeTDS is an open source implementation of the TDS (Tabular Data Stream) protocol used by these databases for their own clients. It supports many different flavors of the protocol and three APIs to access it. FreeTDS includes call level interfaces for DB-Lib, CT-Lib, and ODBC.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeTDS through 1.1.11 has a Buffer Overflow.(CVE-2019-13508)",
+    "cves": [
+      {
+        "id": "CVE-2019-13508",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13508",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2058": {
+    "id": "openEuler-SA-2022-2058",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2058",
+    "title": "An update for pixman is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Pixman is a low-level software library for pixel manipulation, providing features such\\ \\as image compositing and trapezoid rasterization.\\\r\n\r\nSecurity Fix(es):\r\n\r\nIn libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.(CVE-2022-44638)",
+    "cves": [
+      {
+        "id": "CVE-2022-44638",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44638",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1605": {
+    "id": "openEuler-SA-2022-1605",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1605",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.(CVE-2021-20299)",
+    "cves": [
+      {
+        "id": "CVE-2021-20299",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20299",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1851": {
+    "id": "openEuler-SA-2023-1851",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1851",
+    "title": "An update for shadow is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Tools for managing accounts and shadow password files.\r\n\r\nSecurity Fix(es):\r\n\r\nshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees(CVE-2013-4235)",
+    "cves": [
+      {
+        "id": "CVE-2013-4235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1331": {
+    "id": "openEuler-SA-2024-1331",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1331",
+    "title": "An update for python-yaql is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "YAQL (Yet Another Query Language) is an embeddable and extensible query language, that allows performing complex queries against arbitrary objects. It has a vast and comprehensive standard library of frequently used querying functions and can be extend even further with user-specified functions. YAQL is written in python and is distributed via PyPI.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.(CVE-2024-29156)",
+    "cves": [
+      {
+        "id": "CVE-2024-29156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1661": {
+    "id": "openEuler-SA-2023-1661",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1661",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn uncontrolled resource consumption vulnerability was found in Django. Feeding certain inputs with a very large number of Unicode characters to the URI to IRI encoder function can lead to a denial of service.(CVE-2023-41164)",
+    "cves": [
+      {
+        "id": "CVE-2023-41164",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41164",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1134": {
+    "id": "openEuler-SA-2023-1134",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1134",
+    "title": "An update for leptonica is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The library supports many operations that are useful on\n\t\t* Document images\n\t\t* Natural images\n\t\tFundamental image processing and image analysis operations\n\t\t* Rasterop (aka bitblt)\n\t\t* Affine transforms (scaling, translation, rotation, shear)on images of arbitrary pixel depth\n\t\t* Projective and bi-linear transforms\n\t\t* Binary and gray scale morphology, rank order filters, and convolution\n\t\t* Seed-fill and connected components\n\t\t* Image transformations with changes in pixel depth, both at the same scale and with scale change\n\t\t* Pixelwise masking, blending, enhancement, arithmetic ops,etc.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in the Leptonica linked library (v1.79.0) allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file.(CVE-2022-38266)",
+    "cves": [
+      {
+        "id": "CVE-2022-38266",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38266",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1013": {
+    "id": "openEuler-SA-2023-1013",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1013",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.(CVE-2022-41218)\r\n\r\nGuests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42329)\n\nAn issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.(CVE-2022-3115)",
+    "cves": [
+      {
+        "id": "CVE-2022-3115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1367": {
+    "id": "openEuler-SA-2023-1367",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1367",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.(CVE-2023-33288)\n\nAn issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.(CVE-2022-48502)",
+    "cves": [
+      {
+        "id": "CVE-2022-48502",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1748": {
+    "id": "openEuler-SA-2024-1748",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1748",
+    "title": "An update for mozjs78 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "SpiderMonkey is the code-name for Mozilla Firefox's C++ implementation of JavaScript. It is intended to be embedded in other applications that provide host environments for JavaScript.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34481)\r\n\r\nA local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.\r\n\r\n*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.\r\n\r\n(CVE-2023-29532)",
+    "cves": [
+      {
+        "id": "CVE-2023-29532",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29532",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1546": {
+    "id": "openEuler-SA-2024-1546",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1546",
+    "title": "An update for sssd is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.(CVE-2023-3758)",
+    "cves": [
+      {
+        "id": "CVE-2023-3758",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3758",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1833": {
+    "id": "openEuler-SA-2022-1833",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1833",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn t written. In the special case of in place encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)",
+    "cves": [
+      {
+        "id": "CVE-2022-2097",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1492": {
+    "id": "openEuler-SA-2023-1492",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1492",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts.(CVE-2023-38427)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.(CVE-2023-38429)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.(CVE-2023-38430)\r\n\r\nA use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-4004)",
+    "cves": [
+      {
+        "id": "CVE-2023-4004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4004",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1780": {
+    "id": "openEuler-SA-2024-1780",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1780",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nRubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.(CVE-2024-35221)",
+    "cves": [
+      {
+        "id": "CVE-2024-35221",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35221",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1272": {
+    "id": "openEuler-SA-2021-1272",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1272",
+    "title": "An update for gupnp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "GUPnP is an elegant, object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. It provides the same set of features as libupnp,but shields the developer from most of UPnP's internals.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.(CVE-2021-33516)",
+    "cves": [
+      {
+        "id": "CVE-2021-33516",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33516",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1526": {
+    "id": "openEuler-SA-2022-1526",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1526",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Python image processing library.\r\n\r\nSecurity Fix(es):\r\n\r\npath_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.(CVE-2022-22816)\r\n\r\nPIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.(CVE-2022-22817)\r\n\r\npath_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.(CVE-2022-22815)",
+    "cves": [
+      {
+        "id": "CVE-2022-22815",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22815",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1959": {
+    "id": "openEuler-SA-2023-1959",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1959",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n(CVE-2023-46219)",
+    "cves": [
+      {
+        "id": "CVE-2023-46219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46219",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1480": {
+    "id": "openEuler-SA-2024-1480",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1480",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.  Further, this error condition fails silently and is therefore not easily detected by an application.(CVE-2024-2398)",
+    "cves": [
+      {
+        "id": "CVE-2024-2398",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1802": {
+    "id": "openEuler-SA-2023-1802",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1802",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\r\n\r\n(CVE-2023-31122)\r\n\r\nWhen a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n(CVE-2023-45802)",
+    "cves": [
+      {
+        "id": "CVE-2023-45802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45802",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1348": {
+    "id": "openEuler-SA-2023-1348",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1348",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151)",
+    "cves": [
+      {
+        "id": "CVE-2023-34151",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1581": {
+    "id": "openEuler-SA-2023-1581",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1581",
+    "title": "An update for libreswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. \r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20.(CVE-2023-38710)\r\n\r\nAn issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6.(CVE-2023-38711)\r\n\r\nAn issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart.(CVE-2023-38712)",
+    "cves": [
+      {
+        "id": "CVE-2023-38712",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38712",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1337": {
+    "id": "openEuler-SA-2021-1337",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1337",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.\r\n\r\nSecurity Fix(es):\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39139)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39141)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39146)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39144)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39145)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39153)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39148)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.(CVE-2021-39150)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.(CVE-2021-39152)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39147)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39140)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39154)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39149)\r\n\r\nXStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.(CVE-2021-39151)",
+    "cves": [
+      {
+        "id": "CVE-2021-39151",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39151",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1140": {
+    "id": "openEuler-SA-2024-1140",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1140",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.(CVE-2023-51043)\r\n\r\nA use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.(CVE-2023-6531)",
+    "cves": [
+      {
+        "id": "CVE-2023-6531",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1591": {
+    "id": "openEuler-SA-2022-1591",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1591",
+    "title": "An update for spark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Spark supports end-to-end encryption of RPC connections via \"spark.authenticate\" and \"spark.network.crypto.enabled\". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by \"spark.authenticate.enableSaslEncryption\", \"spark.io.encryption.enabled\", \"spark.ssl\", \"spark.ui.strictTransportSecurity\". Update to Apache Spark 3.1.3 or later(CVE-2021-38296)",
+    "cves": [
+      {
+        "id": "CVE-2021-38296",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38296",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1660": {
+    "id": "openEuler-SA-2022-1660",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1660",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nInsufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.(CVE-2021-33061)",
+    "cves": [
+      {
+        "id": "CVE-2021-33061",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33061",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1876": {
+    "id": "openEuler-SA-2024-1876",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1876",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\r\n\r\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\r\n\r\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
+    "cves": [
+      {
+        "id": "CVE-2024-32230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1336": {
+    "id": "openEuler-SA-2024-1336",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1336",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019)",
+    "cves": [
+      {
+        "id": "CVE-2023-3019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3019",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1236": {
+    "id": "openEuler-SA-2024-1236",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1236",
+    "title": "An update for xerces-c is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311)",
+    "cves": [
+      {
+        "id": "CVE-2018-1311",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1594": {
+    "id": "openEuler-SA-2022-1594",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1594",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact(CVE-2022-0891)",
+    "cves": [
+      {
+        "id": "CVE-2022-0891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0891",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1185": {
+    "id": "openEuler-SA-2024-1185",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1185",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)",
+    "cves": [
+      {
+        "id": "CVE-2023-0464",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1002": {
+    "id": "openEuler-SA-2024-1002",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1002",
+    "title": "An update for rubygem-puma is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634)",
+    "cves": [
+      {
+        "id": "CVE-2022-23634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1893": {
+    "id": "openEuler-SA-2023-1893",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1893",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.(CVE-2023-6277)",
+    "cves": [
+      {
+        "id": "CVE-2023-6277",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6277",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1773": {
+    "id": "openEuler-SA-2024-1773",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1773",
+    "title": "An update for poppler is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\ Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\ the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.(CVE-2024-6239)",
+    "cves": [
+      {
+        "id": "CVE-2024-6239",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6239",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1747": {
+    "id": "openEuler-SA-2022-1747",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1747",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2022-1354)",
+    "cves": [
+      {
+        "id": "CVE-2022-1354",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1354",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1942": {
+    "id": "openEuler-SA-2022-1942",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1942",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nNon-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-26373)\r\n\r\nA heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.(CVE-2022-2991)\r\n\r\nAn out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data.(CVE-2022-2905)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.(CVE-2022-3078)\r\n\r\nAn issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.(CVE-2022-40307)",
+    "cves": [
+      {
+        "id": "CVE-2022-40307",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40307",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2097": {
+    "id": "openEuler-SA-2022-2097",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2097",
+    "title": "An update for python3 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\r\n\r\nSecurity Fix(es):\r\n\r\nPython 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.4, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.(CVE-2022-42919)",
+    "cves": [
+      {
+        "id": "CVE-2022-42919",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42919",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1305": {
+    "id": "openEuler-SA-2023-1305",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1305",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.(CVE-2023-1667)\r\n\r\nA vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.(CVE-2023-2283)",
+    "cves": [
+      {
+        "id": "CVE-2023-2283",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2283",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1788": {
+    "id": "openEuler-SA-2023-1788",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1788",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nImproper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\r\n\r\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\r\n\r\n(CVE-2023-45648)",
+    "cves": [
+      {
+        "id": "CVE-2023-45648",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1589": {
+    "id": "openEuler-SA-2022-1589",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1589",
+    "title": "An update for festival is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Festival offers a general framework for building speech synthesis systems as well as including examples of various modules. As a whole it offers full text to speech through a number APIs: from shell level, though a Scheme command interpreter, as a C++ library, from Java, and an Emacs interface.\r\n\r\nSecurity Fix(es):\r\n\r\nfestival_server in Centre for Speech Technology Research (CSTR) Festival, probably 2.0.95-beta and earlier, places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.(CVE-2010-3996)",
+    "cves": [
+      {
+        "id": "CVE-2010-3996",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3996",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1508": {
+    "id": "openEuler-SA-2022-1508",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1508",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "End-user tools for the Clam Antivirus scanner.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) Software version 0.104.1 and LTS version 0.103.4 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper checks that may result in an invalid pointer read. An attacker could exploit this vulnerability by sending a crafted OOXML file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.(CVE-2022-20698)",
+    "cves": [
+      {
+        "id": "CVE-2022-20698",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20698",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1434": {
+    "id": "openEuler-SA-2024-1434",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1434",
+    "title": "An update for libdwarf is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002)",
+    "cves": [
+      {
+        "id": "CVE-2024-2002",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1234": {
+    "id": "openEuler-SA-2021-1234",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1234",
+    "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\n\nSecurity Fix(es):\n\nA flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-27823)\n\nA flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability.(CVE-2020-27824)\n\nopj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851.(CVE-2020-8112)\n\nAOpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of opj_j2k_update_image_dimensions validation.(CVE-2020-6851)",
+    "cves": [
+      {
+        "id": "CVE-2020-6851",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6851",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1836": {
+    "id": "openEuler-SA-2024-1836",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1836",
+    "title": "An update for kernel is now available for openEuler-24.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: lgdt3306a: Add a check against null-pointer-def\r\n\r\nThe driver should check whether the client provides the platform_data.\r\n\r\nThe following log reveals it:\r\n\r\n[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[   29.612820] Call Trace:\n[   29.613030]  <TASK>\n[   29.613201]  dump_stack_lvl+0x56/0x6f\n[   29.613496]  ? kmemdup+0x30/0x40\n[   29.613754]  print_report.cold+0x494/0x6b7\n[   29.614082]  ? kmemdup+0x30/0x40\n[   29.614340]  kasan_report+0x8a/0x190\n[   29.614628]  ? kmemdup+0x30/0x40\n[   29.614888]  kasan_check_range+0x14d/0x1d0\n[   29.615213]  memcpy+0x20/0x60\n[   29.615454]  kmemdup+0x30/0x40\n[   29.615700]  lgdt3306a_probe+0x52/0x310\n[   29.616339]  i2c_device_probe+0x951/0xa90(CVE-2022-48772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\r\n\r\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\r\n\r\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\r\n\r\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\r\n\r\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\r\n\r\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\r\n\r\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\r\n\r\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\r\n\r\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix missing memory barrier in tls_init\r\n\r\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\r\n\r\nCPU0                               CPU1\n-----                              -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\r\n\r\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots)     -(2)\r\n\r\n                                   // In sock_common_setsockopt()\n                                   READ_ONCE(sk->sk_prot)->setsockopt()\r\n\r\n                                   // In tls_{setsockopt,getsockopt}()\n                                   ctx->sk_proto->setsockopt()    -(3)\r\n\r\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\r\n\r\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.(CVE-2024-36489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namd/amdkfd: sync all devices to wait all processes being evicted\r\n\r\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.(CVE-2024-36949)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\r\n\r\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric.  This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\r\n\r\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject.  This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\r\n\r\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\r\n\r\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\r\n\r\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\r\n\r\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler.(CVE-2024-36962)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\r\n\r\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\r\n\r\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\r\n\r\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).(CVE-2024-36965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\r\n\r\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\r\n\r\n[    0.414355] Trying to free already-free IRQ 27\n[    0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[    0.414510] Modules linked in:\n[    0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[    0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[    0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[    0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[    0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[    0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[    0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[    0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[    0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[    0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[    0.414540] FS:  0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[    0.414540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[    0.414540] Call Trace:\n[    0.414540]  <TASK>\n[    0.414540]  ? __warn+0x80/0x120\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  ? report_bug+0x164/0x190\n[    0.414540]  ? handle_bug+0x3b/0x70\n[    0.414540]  ? exc_invalid_op+0x17/0x70\n[    0.414540]  ? asm_exc_invalid_op+0x1a/0x20\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  vp_del_vqs+0xc1/0x220\n[    0.414540]  vp_find_vqs_msix+0x305/0x470\n[    0.414540]  vp_find_vqs+0x3e/0x1a0\n[    0.414540]  vp_modern_find_vqs+0x1b/0x70\n[    0.414540]  init_vqs+0x387/0x600\n[    0.414540]  virtnet_probe+0x50a/0xc80\n[    0.414540]  virtio_dev_probe+0x1e0/0x2b0\n[    0.414540]  really_probe+0xc0/0x2c0\n[    0.414540]  ? __pfx___driver_attach+0x10/0x10\n[    0.414540]  __driver_probe_device+0x73/0x120\n[    0.414540]  driver_probe_device+0x1f/0xe0\n[    0.414540]  __driver_attach+0x88/0x180\n[    0.414540]  bus_for_each_dev+0x85/0xd0\n[    0.414540]  bus_add_driver+0xec/0x1f0\n[    0.414540]  driver_register+0x59/0x100\n[    0.414540]  ? __pfx_virtio_net_driver_init+0x10/0x10\n[    0.414540]  virtio_net_driver_init+0x90/0xb0\n[    0.414540]  do_one_initcall+0x58/0x230\n[    0.414540]  kernel_init_freeable+0x1a3/0x2d0\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  kernel_init+0x1a/0x1c0\n[    0.414540]  ret_from_fork+0x31/0x50\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  ret_from_fork_asm+0x1a/0x30\n[    0.414540]  </TASK>\r\n\r\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\r\n\r\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\r\n\r\n  BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/ctree.c:2620!\n  invalid opcode: 0000 [#1] PREEMPT SMP PTI\n  CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n  RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\r\n\r\nWith the following stack trace:\r\n\r\n  #0  btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n  #1  btrfs_drop_extents (fs/btrfs/file.c:411:4)\n  #2  log_one_extent (fs/btrfs/tree-log.c:4732:9)\n  #3  btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n  #4  btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n  #5  btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n  #6  btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n  #7  btrfs_sync_file (fs/btrfs/file.c:1933:8)\n  #8  vfs_fsync_range (fs/sync.c:188:9)\n  #9  vfs_fsync (fs/sync.c:202:9)\n  #10 do_fsync (fs/sync.c:212:9)\n  #11 __do_sys_fdatasync (fs/sync.c:225:9)\n  #12 __se_sys_fdatasync (fs/sync.c:223:1)\n  #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n  #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n  #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n  #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\r\n\r\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\r\n\r\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\r\n\r\n  >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n  leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n  leaf 33439744 flags 0x100000000000000\n  fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n  chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n          item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n                  generation 7 transid 9 size 8192 nbytes 8473563889606862198\n                  block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n                  sequence 204 flags 0x10(PREALLOC)\n                  atime 1716417703.220000000 (2024-05-22 15:41:43)\n                  ctime 1716417704.983333333 (2024-05-22 15:41:44)\n                  mtime 1716417704.983333333 (2024-05-22 15:41:44)\n                  otime 17592186044416.000000000 (559444-03-08 01:40:16)\n          item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n                  index 195 namelen 3 name: 193\n          item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n                  location key (0 UNKNOWN.0 0) type XATTR\n                  transid 7 data_len 1 name_len 6\n                  name: user.a\n                  data a\n          item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n                  generation 9 type 1 (regular)\n                  extent data disk byte 303144960 nr 12288\n                  extent data offset 0 nr 4096 ram 12288\n                  extent compression 0 (none)\n          item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 4096 nr 8192\n          item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 8192 nr 4096\n  ...\r\n\r\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\r\n\r\nHere is the state of \n---truncated---(CVE-2024-37354)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\r\n\r\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\r\n\r\n  alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n  ...\n  delivered_ce <<= (10 - dctcp_shift_g);\r\n\r\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\r\n\r\n  memcpy((void*)0x20000080,\n         \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n                /*flags=*/2ul, /*mode=*/0ul);\n  memcpy((void*)0x20000000, \"100\\000\", 4);\n  syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\r\n\r\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\r\n\r\nWith this patch:\r\n\r\n  # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  10\n  # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  -bash: echo: write error: Invalid argument\r\n\r\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: mediatek: Assign dummy when codec not specified for a DAI link\r\n\r\nMediaTek sound card drivers are checking whether a DAI link is present\nand used on a board to assign the correct parameters and this is done\nby checking the codec DAI names at probe time.\r\n\r\nIf no real codec is present, assign the dummy codec to the DAI link\nto avoid NULL pointer during string comparison.(CVE-2024-38551)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential index out of bounds in color transformation function\r\n\r\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\r\n\r\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\r\n\r\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issue of net_device\r\n\r\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\r\n\r\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Discard command completions in internal error\r\n\r\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\r\n\r\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n<IRQ>\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x22/0x40(CVE-2024-38555)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: nl80211: Avoid address calculations via out of bounds array indexing\r\n\r\nBefore request->channels[] can be used, request->n_channels must be set.\nAdditionally, address calculations for memory after the \"channels\" array\nneed to be calculated from the allocation base (\"request\") rather than\nvia the first \"out of bounds\" index of \"channels\", otherwise run-time\nbounds checking will throw a warning.(CVE-2024-38562)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\r\n\r\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\r\n\r\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.(CVE-2024-38564)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\r\n\r\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\r\n\r\nUse snprintf() with buffer size instead of sprintf().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38577)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: bcm - Fix pointer arithmetic\r\n\r\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential hang in nilfs_detach_log_writer()\r\n\r\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\r\n\r\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\r\n\r\nnilfs_detach_log_writer\n  nilfs_segctor_destroy\n    nilfs_segctor_kill_thread  --> Shut down log writer thread\n    flush_work\n      nilfs_iput_work_func\n        nilfs_dispose_list\n          iput\n            nilfs_evict_inode\n              nilfs_transaction_commit\n                nilfs_construct_segment (if inode needs sync)\n                  nilfs_segctor_sync  --> Attempt to synchronize with\n                                          log writer thread\n                           *** DEADLOCK ***\r\n\r\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\r\n\r\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nftrace: Fix possible use-after-free issue in ftrace_location()\r\n\r\nKASAN reports a bug:\r\n\r\n  BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n  Read of size 8 at addr ffff888141d40010 by task insmod/424\n  CPU: 8 PID: 424 Comm: insmod Tainted: G        W          6.9.0-rc2+\n  [...]\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x68/0xa0\n   print_report+0xcf/0x610\n   kasan_report+0xb5/0xe0\n   ftrace_location+0x90/0x120\n   register_kprobe+0x14b/0xa40\n   kprobe_init+0x2d/0xff0 [kprobe_example]\n   do_one_initcall+0x8f/0x2d0\n   do_init_module+0x13a/0x3c0\n   load_module+0x3082/0x33d0\n   init_module_from_file+0xd2/0x130\n   __x64_sys_finit_module+0x306/0x440\n   do_syscall_64+0x68/0x140\n   entry_SYSCALL_64_after_hwframe+0x71/0x79\r\n\r\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\r\n\r\n           CPU1                       |      CPU2\n  register_kprobes() {                | delete_module() {\n    check_kprobe_address_safe() {     |\n      arch_check_ftrace_location() {  |\n        ftrace_location() {           |\n          lookup_rec() // USE!        |   ftrace_release_mod() // Free!\r\n\r\nTo fix this issue:\n  1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n  2. Use ftrace_location_range() instead of lookup_rec() in\n     ftrace_location();\n  3. Call synchronize_rcu() before freeing any ftrace pages both in\n     ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().(CVE-2024-38588)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix resync softlockup when bitmap size is less than array size\r\n\r\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\r\n\r\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n <TASK>\n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\r\n\r\nAnd the detailed process is as follows:\r\n\r\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n  sectors = raid10_sync_request(mddev, j, &skipped)\n   if (!md_bitmap_start_sync(..., &sync_blocks))\n    // md_bitmap_start_sync set sync_blocks to 0\n    return sync_blocks + sectors_skippe;\n  // sectors = 0;\n  j += sectors;\n  // j never change\r\n\r\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\r\n\r\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\r\n\r\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.(CVE-2024-38598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: prevent xattr node from overflowing the eraseblock\r\n\r\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\r\n\r\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\r\n\r\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\r\n\r\nThis breaks the filesystem and can lead to KASAN crashes such as:\r\n\r\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-38599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issues of ax25_dev\r\n\r\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\r\n\r\nMemory leak issue in ax25_addr_ax25dev():\r\n\r\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\r\n\r\nMemory leak issues in ax25_dev_device_down():\r\n\r\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\r\n\r\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.(CVE-2024-38602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: refine the EOF check in blkdev_iomap_begin\r\n\r\nblkdev_iomap_begin rounds down the offset to the logical block size\nbefore stashing it in iomap->offset and checking that it still is\ninside the inode size.\r\n\r\nCheck the i_size check to the raw pos value so that we don't try a\nzero size write if iter->pos is unaligned.(CVE-2024-38604)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\r\n\r\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\r\n\r\nPatch #1 fixes a bunch of issues I spotted in the acrn driver.  It\ncompiles, that's all I know.  I'll appreciate some review and testing from\nacrn folks.\r\n\r\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation.  Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\r\n\r\n\nThis patch (of 3):\r\n\r\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\r\n\r\n(1) We're not checking PTE write permissions.\r\n\r\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\r\n\r\n(2) We're not rejecting refcounted pages.\r\n\r\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\r\n\r\n(3) We are only looking at the first PTE of a bigger range.\r\n\r\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.(CVE-2024-38610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/msm/dpu: Add callback function pointer check before its call\r\n\r\nIn dpu_core_irq_callback_handler() callback function pointer is compared to NULL,\nbut then callback function is unconditionally called by this pointer.\nFix this bug by adding conditional return.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\nPatchwork: https://patchwork.freedesktop.org/patch/588237/(CVE-2024-38622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use variable length array instead of fixed size\r\n\r\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)(CVE-2024-38623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\r\n\r\nFor example, in the expression:\n\tvbo = 2 * vbo + skip(CVE-2024-38624)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Check 'folio' pointer for NULL\r\n\r\nIt can be NULL if bmap is called.(CVE-2024-38625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\r\n\r\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.(CVE-2024-38628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: idxd: Avoid unnecessary destruction of file_ida\r\n\r\nfile_ida is allocated during cdev open and is freed accordingly\nduring cdev release. This sequence is guaranteed by driver file\noperations. Therefore, there is no need to destroy an already empty\nfile_ida when the WQ cdev is removed.\r\n\r\nWorse, ida_free() in cdev release may happen after destruction of\nfile_ida per WQ cdev. This can lead to accessing an id in file_ida\nafter it has been destroyed, resulting in a kernel panic.\r\n\r\nRemove ida_destroy(&file_ida) to address these issues.(CVE-2024-38629)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\r\n\r\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\r\n\r\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.(CVE-2024-38630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\r\n\r\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\r\n\r\n  WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n  ...\n  Workqueue: max3100-0 max3100_work [max3100]\n  RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n  ...\n   max3100_handlerx+0xc5/0x110 [max3100]\n   max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngreybus: lights: check return of get_channel_from_mode\r\n\r\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\r\n\r\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Allow delete from sockmap/sockhash only if update is allowed\r\n\r\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\r\n\r\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\r\n\r\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.(CVE-2024-38662)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: zynqmp_dpsub: Always register bridge\r\n\r\nWe must always register the DRM bridge, since zynqmp_dp_hpd_work_func\ncalls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be\ninitialized. We do this before zynqmp_dpsub_drm_init since that calls\ndrm_bridge_attach. This fixes the following lockdep warning:\r\n\r\n[   19.217084] ------------[ cut here ]------------\n[   19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[   19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550\n[   19.241696] Modules linked in:\n[   19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96\n[   19.252046] Hardware name: xlnx,zynqmp (DT)\n[   19.256421] Workqueue: events zynqmp_dp_hpd_work_func\n[   19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   19.269104] pc : __mutex_lock+0x4bc/0x550\n[   19.273364] lr : __mutex_lock+0x4bc/0x550\n[   19.277592] sp : ffffffc085c5bbe0\n[   19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8\n[   19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000\n[   19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000\n[   19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000\n[   19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720\n[   19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001\n[   19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888\n[   19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000\n[   19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000\n[   19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880\n[   19.356581] Call trace:\n[   19.359160]  __mutex_lock+0x4bc/0x550\n[   19.363032]  mutex_lock_nested+0x24/0x30\n[   19.367187]  drm_bridge_hpd_notify+0x2c/0x6c\n[   19.371698]  zynqmp_dp_hpd_work_func+0x44/0x54\n[   19.376364]  process_one_work+0x3ac/0x988\n[   19.380660]  worker_thread+0x398/0x694\n[   19.384736]  kthread+0x1bc/0x1c0\n[   19.388241]  ret_from_fork+0x10/0x20\n[   19.392031] irq event stamp: 183\n[   19.395450] hardirqs last  enabled at (183): [<ffffffc0800b9278>] finish_task_switch.isra.0+0xa8/0x2d4\n[   19.405140] hardirqs last disabled at (182): [<ffffffc081ad3754>] __schedule+0x714/0xd04\n[   19.413612] softirqs last  enabled at (114): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c\n[   19.423128] softirqs last disabled at (110): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c\n[   19.432614] ---[ end trace 0000000000000000 ]---\r\n\r\n(cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)(CVE-2024-38664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\r\n\r\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\r\n\r\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbonding: fix oops during rmmod\r\n\r\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\").  Here are the relevant\nfunctions being called:\r\n\r\nbonding_exit()\n  bond_destroy_debugfs()\n    debugfs_remove_recursive(bonding_debug_root);\n    bonding_debug_root = NULL; <--------- SET TO NULL HERE\n  bond_netlink_fini()\n    rtnl_link_unregister()\n      __rtnl_link_unregister()\n        unregister_netdevice_many_notify()\n          bond_uninit()\n            bond_debug_unregister()\n              (commit removed check for bonding_debug_root == NULL)\n              debugfs_remove()\n              simple_recursive_removal()\n                down_write() -> OOPS\r\n\r\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\r\n\r\nCPU1\n  rmmod bonding\n    bonding_exit()\n      bond_destroy_debugfs()\n        debugfs_remove_recursive(bonding_debug_root);\r\n\r\nCPU2\n  echo -bond0 > /sys/class/net/bonding_masters\n    bond_uninit()\n      bond_debug_unregister()\n        if (!bonding_debug_root)\r\n\r\nCPU1\n        bonding_debug_root = NULL;\r\n\r\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval.  The same oops can also happen if there is an error during\nmodule init, so apply the same fix there.(CVE-2024-39296)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/9p: fix uninit-value in p9_client_rpc()\r\n\r\nSyzbot with the help of KMSAN reported the following error:\r\n\r\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\r\n\r\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-39362)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: check for non-NULL file pointer in io_file_can_poll()\r\n\r\nIn earlier kernels, it was possible to trigger a NULL pointer\ndereference off the forced async preparation path, if no file had\nbeen assigned. The trace leading to that looks as follows:\r\n\r\nBUG: kernel NULL pointer dereference, address: 00000000000000b0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022\nRIP: 0010:io_buffer_select+0xc3/0x210\nCode: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b\nRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246\nRAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040\nRDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700\nRBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020\nR10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8\nR13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000\nFS:  00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0\nCall Trace:\n <TASK>\n ? __die+0x1f/0x60\n ? page_fault_oops+0x14d/0x420\n ? do_user_addr_fault+0x61/0x6a0\n ? exc_page_fault+0x6c/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? io_buffer_select+0xc3/0x210\n __io_import_iovec+0xb5/0x120\n io_readv_prep_async+0x36/0x70\n io_queue_sqe_fallback+0x20/0x260\n io_submit_sqes+0x314/0x630\n __do_sys_io_uring_enter+0x339/0xbc0\n ? __do_sys_io_uring_register+0x11b/0xc50\n ? vm_mmap_pgoff+0xce/0x160\n do_syscall_64+0x5f/0x180\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x55e0a110a67e\nCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6\r\n\r\nbecause the request is marked forced ASYNC and has a bad file fd, and\nhence takes the forced async prep path.\r\n\r\nCurrent kernels with the request async prep cleaned up can no longer hit\nthis issue, but for ease of backporting, let's add this safety check in\nhere too as it really doesn't hurt. For both cases, this will inevitably\nend with a CQE posted with -EBADF.(CVE-2024-39371)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: bcm: rpi: Assign ->num before accessing ->hws\r\n\r\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nraspberrypi_discover_clocks() due to ->num being assigned after ->hws\nhas been accessed:\r\n\r\n  UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4\n  index 3 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\r\n\r\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning.(CVE-2024-39461)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\r\n\r\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\r\n\r\nFix that.(CVE-2024-39466)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\r\n\r\nsyzbot reports a kernel bug as below:\r\n\r\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\r\n\r\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.(CVE-2024-39467)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix deadlock in smb2_find_smb_tcon()\r\n\r\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.(CVE-2024-39468)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\neventfs: Fix a possible null pointer dereference in eventfs_find_events()\r\n\r\nIn function eventfs_find_events,there is a potential null pointer\nthat may be caused by calling update_events_attr which will perform\nsome operations on the members of the ei struct when ei is NULL.\r\n\r\nHence,When ei->is_freed is set,return NULL directly.(CVE-2024-39470)",
+    "cves": [
+      {
+        "id": "CVE-2024-39470",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39470",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1603": {
+    "id": "openEuler-SA-2022-1603",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1603",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Cryptography and SSL/TLS Toolkit.\r\n\r\nSecurity Fix(es):\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the openssl 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects openssl versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in openssl 3.0.2 (Affected 3.0.0,3.0.1). Fixed in openssl 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in openssl 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)",
+    "cves": [
+      {
+        "id": "CVE-2022-0778",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1401": {
+    "id": "openEuler-SA-2023-1401",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1401",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\n\nSecurity Fix(es):\n\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486)",
+    "cves": [
+      {
+        "id": "CVE-2023-31486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1467": {
+    "id": "openEuler-SA-2021-1467",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1467",
+    "title": "An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.(CVE-2021-45046)",
+    "cves": [
+      {
+        "id": "CVE-2021-45046",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2113": {
+    "id": "openEuler-SA-2022-2113",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2113",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nPillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.(CVE-2022-45199)",
+    "cves": [
+      {
+        "id": "CVE-2022-45199",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45199",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1770": {
+    "id": "openEuler-SA-2024-1770",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1770",
+    "title": "An update for golang is now available for openEuler-24.03-LTS",
+    "severity": "Critical",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.(CVE-2024-24790)",
+    "cves": [
+      {
+        "id": "CVE-2024-24790",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1230": {
+    "id": "openEuler-SA-2023-1230",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1230",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nApache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.(CVE-2019-17567)",
+    "cves": [
+      {
+        "id": "CVE-2019-17567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1845": {
+    "id": "openEuler-SA-2023-1845",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1845",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.(CVE-2022-45884)\r\n\r\nRejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-35823. Reason: This candidate is a reservation duplicate of CVE-2023-35823. Notes: All CVE users should reference CVE-2023-35823 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2023-3327)\r\n\r\nA race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.(CVE-2023-39198)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\r\n\r\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\r\n\r\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\r\n\r\n(CVE-2023-4623)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nAddition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.\r\n\r\nWe recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.\r\n\r\n(CVE-2023-5197)",
+    "cves": [
+      {
+        "id": "CVE-2023-5197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1020": {
+    "id": "openEuler-SA-2024-1020",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1020",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.(CVE-2023-7008)",
+    "cves": [
+      {
+        "id": "CVE-2023-7008",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1592": {
+    "id": "openEuler-SA-2024-1592",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1592",
+    "title": "An update for php is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\r\n\r\n(CVE-2024-3096)",
+    "cves": [
+      {
+        "id": "CVE-2024-3096",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1455": {
+    "id": "openEuler-SA-2024-1455",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1455",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0002.html(CVE-2023-37328)",
+    "cves": [
+      {
+        "id": "CVE-2023-37328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1614": {
+    "id": "openEuler-SA-2022-1614",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1614",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.(CVE-2022-26966)\r\n\r\nIn drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.(CVE-2022-27223)",
+    "cves": [
+      {
+        "id": "CVE-2022-27223",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27223",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1583": {
+    "id": "openEuler-SA-2022-1583",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1583",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, leading to an out-of-bounds write on the heap. The greatest impact of this flaw is to application availability, with some potential impact to data integrity as well.(CVE-2021-20303)",
+    "cves": [
+      {
+        "id": "CVE-2021-20303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20303",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1236": {
+    "id": "openEuler-SA-2023-1236",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1236",
+    "title": "An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.(CVE-2022-23527)\r\n\r\nmod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.(CVE-2023-28625)",
+    "cves": [
+      {
+        "id": "CVE-2023-28625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28625",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2047": {
+    "id": "openEuler-SA-2022-2047",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2047",
+    "title": "An update for bluez is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.(CVE-2021-43400)\r\n\r\nImproper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.(CVE-2021-0129)",
+    "cves": [
+      {
+        "id": "CVE-2021-0129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0129",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1717": {
+    "id": "openEuler-SA-2024-1717",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1717",
+    "title": "An update for mozjs78 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "SpiderMonkey JavaScript library\r\n\r\nSecurity Fix(es):\r\n\r\nIn the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34481)",
+    "cves": [
+      {
+        "id": "CVE-2022-34481",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34481",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1301": {
+    "id": "openEuler-SA-2023-1301",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1301",
+    "title": "An update for sysstat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The sysstat package contains various utilities, common to many commercial Unixes, to monitor system performance and usage activity:iostat: reports CPU statistics and input/output statistics for block devices and partitions.mpstat: reports individual or combined processor related statistics.pidstat: reports statistics for Linux tasks (processes) : I/O, CPU, memory, etc.tapestat: reports statistics for tape drives connected to the system.cifsiostat: reports CIFS statistics.Sysstat also contains tools you can schedule via cron or systemd to collect and historize performance and activity data:sar： collects, reports and saves system activity information (see below a list of metrics collected by sar).sadc： is the system activity data collector, used as a backend for sar.sa1： collects and stores binary data in the system activity daily data file. It is a front end to sadc designed to be run from cron or systemd.sa2： writes a summarized daily activity report. It is a front end to sar designed to be run from cron or systemd.sadf： displays data collected by sar in multiple formats (CSV, XML, JSON, etc.) and can be used for data exchange with other programs. This command can also be used to draw graphs for the various activities collected by sar using SVG (Scalable Vector Graphics) format.\r\n\r\nSecurity Fix(es):\r\n\r\nsysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377.(CVE-2023-33204)",
+    "cves": [
+      {
+        "id": "CVE-2023-33204",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33204",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1331": {
+    "id": "openEuler-SA-2023-1331",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1331",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157)",
+    "cves": [
+      {
+        "id": "CVE-2023-2157",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1231": {
+    "id": "openEuler-SA-2021-1231",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1231",
+    "title": "An update for resteasy is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "%global desc \\ RESTEasy contains a JBoss project that provides frameworks to help\\ build RESTful Web Services and RESTful Java applications. It is a fully\\ certified and portable implementation of the JAX-RS specification. \\ %global extdesc \\\\ \\ This package contains\n\nSecurity Fix(es):\n\nA cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.(CVE-2020-10688)",
+    "cves": [
+      {
+        "id": "CVE-2020-10688",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10688",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1689": {
+    "id": "openEuler-SA-2022-1689",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1689",
+    "title": "An update for fish is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "fish is a fully-equipped command line shell (like bash or zsh) that is smart and user-friendly. fish supports powerful features like syntax highlighting, autosuggestions, and tab completions that just work, with nothing to learn or configure.\r\n\r\nSecurity Fix(es):\r\n\r\nfish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.(CVE-2022-20001)",
+    "cves": [
+      {
+        "id": "CVE-2022-20001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20001",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1818": {
+    "id": "openEuler-SA-2024-1818",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1818",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.(CVE-2022-2320)",
+    "cves": [
+      {
+        "id": "CVE-2022-2320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1306": {
+    "id": "openEuler-SA-2024-1306",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1306",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": " The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as \"Authorization\" or \"Cookie\". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.(CVE-2023-45289)\r\n\r\nWhen parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.(CVE-2023-45290)\r\n\r\nVerifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.(CVE-2024-24783)\r\n\r\nIf errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.(CVE-2024-24785)",
+    "cves": [
+      {
+        "id": "CVE-2024-24785",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24785",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1022": {
+    "id": "openEuler-SA-2024-1022",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1022",
+    "title": "An update for mosquitto is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n(CVE-2023-3592)",
+    "cves": [
+      {
+        "id": "CVE-2023-3592",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3592",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1584": {
+    "id": "openEuler-SA-2023-1584",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1584",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-1206)\r\n\r\nA buffer overrun vulnerability was found in the netback driver in Xen due to an unusual split packet. This flaw allows an unprivileged guest to cause a denial of service (DoS) of the host by sending network packets to the backend, causing the backend to crash.(CVE-2023-34319)\r\n\r\nAn issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.(CVE-2023-40283)\r\n\r\nA flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.(CVE-2023-4194)\r\n\r\nA NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.(CVE-2023-4385)\r\n\r\nA NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.(CVE-2023-4459)",
+    "cves": [
+      {
+        "id": "CVE-2023-4459",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1309": {
+    "id": "openEuler-SA-2024-1309",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1309",
+    "title": "An update for glade is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Glade is a RAD tool to enable quick and easy development of user interfaces for the GTK+ toolkit and the GNOME desktop environment.\r\n\r\nSecurity Fix(es):\r\n\r\nplugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash).(CVE-2020-36774)",
+    "cves": [
+      {
+        "id": "CVE-2020-36774",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36774",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1007": {
+    "id": "openEuler-SA-2024-1007",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1007",
+    "title": "An update for rubygem-puma is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634)",
+    "cves": [
+      {
+        "id": "CVE-2022-23634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1373": {
+    "id": "openEuler-SA-2021-1373",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1373",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.(CVE-2021-25737)\r\n\r\nA security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.(CVE-2021-25735)",
+    "cves": [
+      {
+        "id": "CVE-2021-25735",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25735",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1179": {
+    "id": "openEuler-SA-2021-1179",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1179",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35498)\r\n\r\nA flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-27827)\r\n\r\nBuffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries.(CVE-2015-8011)",
+    "cves": [
+      {
+        "id": "CVE-2015-8011",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8011",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1699": {
+    "id": "openEuler-SA-2022-1699",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1699",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\n\nSecurity Fix(es):\n\nUse After Free in GitHub repository vim/vim prior to 8.2.4979.(CVE-2022-1796)\n\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.(CVE-2022-1785)",
+    "cves": [
+      {
+        "id": "CVE-2022-1785",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1785",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1321": {
+    "id": "openEuler-SA-2021-1321",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1321",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\ncurl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.(CVE-2021-22925)\r\n\r\nlibcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.(CVE-2021-22926)",
+    "cves": [
+      {
+        "id": "CVE-2021-22926",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22926",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1450": {
+    "id": "openEuler-SA-2023-1450",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1450",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.(CVE-2022-2127)\n\nAn infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.(CVE-2023-34966)\n\nA Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.(CVE-2023-34967)",
+    "cves": [
+      {
+        "id": "CVE-2023-34967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1139": {
+    "id": "openEuler-SA-2023-1139",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1139",
+    "title": "An update for epiphany is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Epiphany is the web browser for the GNOME desktop. Its goal is to be simple and easy to use. Epiphany ties together many GNOME components in order to let you focus on the Web content, instead of the browser application.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.(CVE-2023-26081)",
+    "cves": [
+      {
+        "id": "CVE-2023-26081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26081",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1519": {
+    "id": "openEuler-SA-2022-1519",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1519",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "MySQL client programs and shared libraries.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21245)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21264)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21302)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21285)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21288)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21290)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21254)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21301)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21287)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21270)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21286)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21284)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L).(CVE-2022-21265)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21289)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21304)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21256)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21249)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21253)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21303)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21315)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21316)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21314)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21312)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21311)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21313)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21317)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21320)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21318)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21325)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21319)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21308)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21326)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21324)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21355)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21344)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21342)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).(CVE-2022-21368)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21335)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21328)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21374)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21333)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21339)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21378)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21329)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21356)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21372)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21332)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21330)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21336)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21367)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21327)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21334)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21380)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21357)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21348)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21362)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21307)\r\n\r\nVulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).(CVE-2022-21363)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21280)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21309)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21351)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21358)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21279)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21337)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21370)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21331)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21310)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21321)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21379)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).(CVE-2022-21323)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2022-21322)",
+    "cves": [
+      {
+        "id": "CVE-2022-21322",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21322",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1797": {
+    "id": "openEuler-SA-2024-1797",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1797",
+    "title": "An update for rubygem-activesupport is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrusted user input, malicious code could be executed.(CVE-2023-28120)",
+    "cves": [
+      {
+        "id": "CVE-2023-28120",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28120",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1280": {
+    "id": "openEuler-SA-2023-1280",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1280",
+    "title": "An update for LibRaw is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted file may lead to an application crash.(CVE-2023-1729)",
+    "cves": [
+      {
+        "id": "CVE-2023-1729",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1729",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1966": {
+    "id": "openEuler-SA-2022-1966",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1966",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free.(CVE-2022-40307)\n\nA flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2022-3239)",
+    "cves": [
+      {
+        "id": "CVE-2022-3239",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1652": {
+    "id": "openEuler-SA-2022-1652",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1652",
+    "title": "An update for zlog is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "zlog is a reliable, high-performance, thread safe, flexible, clear-model, pure C logging library.\r\n\r\nSecurity Fix(es):\r\n\r\nA Buffer Overflow vulnerability exists in zlog 1.2.15 via zlog_conf_build_with_file in src/zlog/src/conf.c.(CVE-2021-43521)",
+    "cves": [
+      {
+        "id": "CVE-2021-43521",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43521",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1606": {
+    "id": "openEuler-SA-2024-1606",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1606",
+    "title": "An update for python-idna is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A library to support the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891 http://tools.ietf.org/html/rfc5891. This version of the protocol is often referred to as “IDNA2008” and can produce different results from the earlier standard from 2003.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.(CVE-2024-3651)",
+    "cves": [
+      {
+        "id": "CVE-2024-3651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1699": {
+    "id": "openEuler-SA-2024-1699",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1699",
+    "title": "An update for grub2 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.(CVE-2021-46848)",
+    "cves": [
+      {
+        "id": "CVE-2021-46848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1797": {
+    "id": "openEuler-SA-2023-1797",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1797",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.(CVE-2023-37453)\r\n\r\nAn issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.(CVE-2023-46813)\r\n\r\nAn issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.(CVE-2023-46862)\r\n\r\nA use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges.(CVE-2023-5178)",
+    "cves": [
+      {
+        "id": "CVE-2023-5178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1658": {
+    "id": "openEuler-SA-2022-1658",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1658",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations.In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\n\nSecurity Fix(es):\n\nIn libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.(CVE-2022-29824)",
+    "cves": [
+      {
+        "id": "CVE-2022-29824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2007": {
+    "id": "openEuler-SA-2022-2007",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2007",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nDivide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.(CVE-2022-2056)\r\n\r\nDivide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.(CVE-2022-2058)",
+    "cves": [
+      {
+        "id": "CVE-2022-2058",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2058",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1813": {
+    "id": "openEuler-SA-2023-1813",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1813",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and  21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22067)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22081)",
+    "cves": [
+      {
+        "id": "CVE-2023-22081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1593": {
+    "id": "openEuler-SA-2023-1593",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1593",
+    "title": "An update for binutils is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nAn illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.(CVE-2022-4285)\r\n\r\nGNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064)\r\n\r\nA potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability.(CVE-2023-1972)",
+    "cves": [
+      {
+        "id": "CVE-2023-1972",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1972",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1056": {
+    "id": "openEuler-SA-2023-1056",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1056",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254837884References: Upstream kernel(CVE-2023-20928)\r\n\r\nA heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in which nt_len can be less than CIFS_ENCPWD_SIZE. This results in a negative blen argument for ksmbd_auth_ntlmv2, where it calls memcpy using blen on memory allocated by kmalloc(blen + CIFS_CRYPTO_KEY_SIZE). Note that CIFS_ENCPWD_SIZE is 16 and CIFS_CRYPTO_KEY_SIZE is 8. We believe this bug can only result in a remote DOS and not privilege escalation nor RCE, as the heap overflow occurs when blen is in range (-8, -1].”\r\n\r\nReference:\nhttps://securityonline.info/cve-2023-0210-flaw-in-linux-kernel-allows-unauthenticated-remote-dos-attacks/\nhttps://www.spinics.net/lists/stable-commits/msg282893.html(CVE-2023-0210)\r\n\r\nIn rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.(CVE-2023-23559)\r\n\r\nThere exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above(CVE-2022-4696)",
+    "cves": [
+      {
+        "id": "CVE-2022-4696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4696",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1476": {
+    "id": "openEuler-SA-2021-1476",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1476",
+    "title": "An update for logback is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Logback is intended as a successor to the popular log4j project.\r\n\r\nSecurity Fix(es):\r\n\r\nIn logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.(CVE-2021-42550)",
+    "cves": [
+      {
+        "id": "CVE-2021-42550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42550",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1139": {
+    "id": "openEuler-SA-2021-1139",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1139",
+    "title": "An update for infinispan is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Infinispan is an extremely scalable, highly available data grid platform - 100% open source, and written in Java. The purpose of Infinispan is to expose a data structure that is highly concurrent, designed ground-up to make the most of modern multi-processor/multi-core architectures while at the same time providing distributed cache capabilities.  At its core Infinispan exposes a Cache interface which extends java.util.Map. It is also optionally is backed by a peer-to-peer network architecture to distribute state efficiently around a data grid.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.(CVE-2017-15089)\r\n\r\nThe hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.(CVE-2016-0750)",
+    "cves": [
+      {
+        "id": "CVE-2016-0750",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0750",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1085": {
+    "id": "openEuler-SA-2024-1085",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1085",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer (\"skb\"). This flaw allows a local user to cause a denial of service condition or potential code execution.(CVE-2023-51779)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.(CVE-2023-51780)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.(CVE-2023-51781)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.(CVE-2023-51782)\r\n\r\nAn out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121)",
+    "cves": [
+      {
+        "id": "CVE-2023-6121",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2074": {
+    "id": "openEuler-SA-2022-2074",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2074",
+    "title": "An update for gnome-font-viewer is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Font Viewer application has been rewritten to match the new design used for GNOME 3 applications.It can now show an overview of all installed fonts and optimizes screen space usage when the application is maximized.\r\n\r\nSecurity Fix(es):\r\n\r\nIn text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0, there is a NULL pointer dereference while parsing a TTF font file that lacks a name section (due to a g_strconcat call that returns NULL).(CVE-2019-19308)",
+    "cves": [
+      {
+        "id": "CVE-2019-19308",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19308",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1264": {
+    "id": "openEuler-SA-2024-1264",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1264",
+    "title": "An update for arm-trusted-firmware is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\r\n\r\nSecurity Fix(es):\r\n\r\nTrusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.(CVE-2023-49100)",
+    "cves": [
+      {
+        "id": "CVE-2023-49100",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49100",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1740": {
+    "id": "openEuler-SA-2023-1740",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1740",
+    "title": "An update for libvpx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications with the VP8 and VP9 video codecs, high quality, royalty free, open source codecs deployed on millions of computers and devices worldwide.\r\n\r\nSecurity Fix(es):\r\n\r\nVP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.(CVE-2023-44488)\r\n\r\nHeap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)(CVE-2023-5217)",
+    "cves": [
+      {
+        "id": "CVE-2023-5217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5217",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1262": {
+    "id": "openEuler-SA-2023-1262",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1262",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.(CVE-2023-28484)\r\n\r\nAn issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).(CVE-2023-29469)",
+    "cves": [
+      {
+        "id": "CVE-2023-29469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1315": {
+    "id": "openEuler-SA-2021-1315",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1315",
+    "title": "An update for gd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nread_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.(CVE-2021-38115)",
+    "cves": [
+      {
+        "id": "CVE-2021-38115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1262": {
+    "id": "openEuler-SA-2021-1262",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1262",
+    "title": "An update for nodejs-path-parse is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js path.parse() ponyfill\r\n\r\nSecurity Fix(es):\r\n\r\nAll versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.(CVE-2021-23343)",
+    "cves": [
+      {
+        "id": "CVE-2021-23343",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1113": {
+    "id": "openEuler-SA-2023-1113",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1113",
+    "title": "An update for python-cryptography is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.\r\n\r\nSecurity Fix(es):\r\n\r\ncryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.(CVE-2023-23931)",
+    "cves": [
+      {
+        "id": "CVE-2023-23931",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1335": {
+    "id": "openEuler-SA-2021-1335",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1335",
+    "title": "An update for jsoup is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods.\r\n\r\nSecurity Fix(es):\r\n\r\njsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.(CVE-2021-37714)",
+    "cves": [
+      {
+        "id": "CVE-2021-37714",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37714",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1287": {
+    "id": "openEuler-SA-2021-1287",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1287",
+    "title": "An update for libmaxminddb is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The libmaxminddb library provides a C library for reading MaxMind DB files, including the GeoIP2 databases from MaxMind. This is a custom binary format designed to facilitate fast lookups of IP addresses while allowing for great flexibility in the type of data associated with an address.\r\n\r\nSecurity Fix(es):\r\n\r\nlibmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.(CVE-2020-28241)",
+    "cves": [
+      {
+        "id": "CVE-2020-28241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28241",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1803": {
+    "id": "openEuler-SA-2023-1803",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1803",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n(CVE-2023-45802)",
+    "cves": [
+      {
+        "id": "CVE-2023-45802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45802",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2135": {
+    "id": "openEuler-SA-2022-2135",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2135",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing.It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command.(CVE-2022-4141)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0789.(CVE-2022-3591)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.(CVE-2022-3520)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.(CVE-2022-3491)",
+    "cves": [
+      {
+        "id": "CVE-2022-3491",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3491",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1938": {
+    "id": "openEuler-SA-2022-1938",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1938",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nThe X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).(CVE-2020-1971)\r\n\r\nCalls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).(CVE-2021-23840)\r\n\r\nWhile parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.(CVE-2017-3735)\r\n\r\nDuring key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).(CVE-2018-0732)\r\n\r\nASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).(CVE-2021-3712)\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)",
+    "cves": [
+      {
+        "id": "CVE-2022-0778",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1209": {
+    "id": "openEuler-SA-2024-1209",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1209",
+    "title": "An update for graphviz is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Graphviz is open source graph visualization software. Graph visualization is a way of representing structural  information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics,  software engineering, database and web design, machine learning, and in visual interfaces for other technical domains.\r\n\r\nSecurity Fix(es):\r\n\r\nGraphviz 2.36 before 10.0.0 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.(CVE-2023-46045)",
+    "cves": [
+      {
+        "id": "CVE-2023-46045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46045",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1474": {
+    "id": "openEuler-SA-2024-1474",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1474",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n(CVE-2024-28180)",
+    "cves": [
+      {
+        "id": "CVE-2024-28180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1067": {
+    "id": "openEuler-SA-2024-1067",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1067",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.(CVE-2023-51782)",
+    "cves": [
+      {
+        "id": "CVE-2023-51782",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51782",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2149": {
+    "id": "openEuler-SA-2022-2149",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2149",
+    "title": "An update for jetty is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "%global desc \\ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\\ do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. \\ %global extdesc \\\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.(CVE-2019-10241)",
+    "cves": [
+      {
+        "id": "CVE-2019-10241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1507": {
+    "id": "openEuler-SA-2023-1507",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1507",
+    "title": "An update for amanda is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar, dump) for backup and can back up a large number of workstations running multiple versions of Unix/Mac OS X/Linux/Windows.\n\nSecurity Fix(es):\n\nAMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.(CVE-2023-30577)",
+    "cves": [
+      {
+        "id": "CVE-2023-30577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30577",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1745": {
+    "id": "openEuler-SA-2024-1745",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1745",
+    "title": "An update for python-scikit-learn is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "A Python module for machine learning built on top of SciPy\r\n\r\nSecurity Fix(es):\r\n\r\nA sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.(CVE-2024-5206)",
+    "cves": [
+      {
+        "id": "CVE-2024-5206",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5206",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1968": {
+    "id": "openEuler-SA-2023-1968",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1968",
+    "title": "An update for jettison is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nAn infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\r\n\r\n(CVE-2023-1436)",
+    "cves": [
+      {
+        "id": "CVE-2023-1436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1095": {
+    "id": "openEuler-SA-2024-1095",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1095",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553)\r\n\r\nA vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.(CVE-2024-0567)",
+    "cves": [
+      {
+        "id": "CVE-2024-0567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1461": {
+    "id": "openEuler-SA-2021-1461",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1461",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was discovered in the way samba implements SMB1 authentication. Even if Kerberos authentication is required, an attacker can use this flaw to retrieve the clear text password sent over the wire.(CVE-2016-2124)\r\n\r\nSeveral flaws were found in the way that samba AD DC implements storage data access and consistency checking. Attackers can use this flaw to cause damage to the entire domain.(CVE-2020-25722)\r\n\r\nA use-after-free issue was found in the Samba AD DC RPC server, which may allow handles to point to different user states, leading to more privileged access.(CVE-2021-3738)\r\n\r\nA flaw was found in the way that samba as an AD domain controller can support RODC. This will allow RODC to print administrator credentials.(CVE-2020-25718)\r\n\r\nA flaw was discovered in the way that Samba, as an AD domain controller, implements Kerberos name-based authentication. If Samba AD DC does not strictly require Kerberos PAC and always uses the SID found in it, it may not be able to distinguish the user represented by the credential.(CVE-2020-25719)\r\n\r\nThe AD Kerberos acceptance service in Samba cannot perform authorization by accessing the user's unique and long-term stable identifier.(CVE-2020-25721)",
+    "cves": [
+      {
+        "id": "CVE-2020-25721",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25721",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1826": {
+    "id": "openEuler-SA-2022-1826",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1826",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.495.(CVE-2022-1725)",
+    "cves": [
+      {
+        "id": "CVE-2022-1725",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1725",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1685": {
+    "id": "openEuler-SA-2024-1685",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1685",
+    "title": "An update for openjdk-17 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and  22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2024-20932)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21012)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21068)",
+    "cves": [
+      {
+        "id": "CVE-2024-21068",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21068",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1661": {
+    "id": "openEuler-SA-2022-1661",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1661",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\n\r\nGo before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.(CVE-2021-44717)\n\nencoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.(CVE-2022-24675)\n\r\nThe generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.(CVE-2022-28327)",
+    "cves": [
+      {
+        "id": "CVE-2022-28327",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28327",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1391": {
+    "id": "openEuler-SA-2023-1391",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1391",
+    "title": "An update for bouncycastle is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "A Java implementation of cryptographic algorithms.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.(CVE-2023-33201)",
+    "cves": [
+      {
+        "id": "CVE-2023-33201",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1973": {
+    "id": "openEuler-SA-2023-1973",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1973",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.\r\n\r\n(CVE-2022-47184)\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\r\n\r\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions\r\n\r\n\n(CVE-2023-33933)",
+    "cves": [
+      {
+        "id": "CVE-2023-33933",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33933",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1553": {
+    "id": "openEuler-SA-2023-1553",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1553",
+    "title": "An update for microcode_ctl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nIncorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2022-33196)\r\n\r\nImproper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-38090)\r\n\r\nInformation exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982)",
+    "cves": [
+      {
+        "id": "CVE-2022-40982",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1818": {
+    "id": "openEuler-SA-2022-1818",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1818",
+    "title": "An update for libdwarf is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libdwarf. A possible null pointer dereference vulnerability allows an attacker to input a specially crafted file, leading to a crash. The highest threat from this vulnerability is to system availability.(CVE-2020-28163)",
+    "cves": [
+      {
+        "id": "CVE-2020-28163",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28163",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1176": {
+    "id": "openEuler-SA-2021-1176",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1176",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\n\nAn issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.(CVE-2020-27170)\n\nAn issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.(CVE-2020-27171)\n\nrtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.(CVE-2021-28660)\n\nA race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.(CVE-2021-28964)\n\nIn drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\\0' termination, aka CID-cc7a0bb058b8.(CVE-2021-28972)\n\nIn intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.(CVE-2021-28971)\n\nAn out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35519)\n\nThere is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm  in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.(CVE-2021-20292)\r\n\r\nThe bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (\"bpf: Fix truncation handling for mod32 dst reg wrt zero\") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.(CVE-2021-3444)\r\n\r\nAn issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.(CVE-2021-29265)\r\n\r\nAn issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6.(CVE-2021-29264)\r\n\r\nAn issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624.(CVE-2021-29647)\r\n\r\nAn issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.(CVE-2021-29650)\r\n\r\nThe fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.(CVE-2021-28688)\r\n\r\nBPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)\r\n\r\nAn issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.(CVE-2020-36312)\r\n\r\nAn issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.(CVE-2020-36311)\r\n\r\nAn issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950.(CVE-2020-36322)\r\n\r\nAn issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)\r\n\r\nA race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.(CVE-2021-23133)\r\n\r\nAn out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-3506)\r\n\r\nAn issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.(CVE-2021-30002)\r\n\r\nA flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected(CVE-2021-3483)\r\n\r\nAn out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)\r\n\r\nkernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)\r\n\r\nnet/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.(CVE-2021-32399)\r\n\r\nUse After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.(CVE-2021-23134)\r\n\r\nIn the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.(CVE-2021-33034)\r\n\r\nThe Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)\r\n\r\nkernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.(CVE-2021-33200)\r\n\r\nA flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.(CVE-2021-3564)\r\n\r\nAn issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.(CVE-2020-36386)",
+    "cves": [
+      {
+        "id": "CVE-2020-36386",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36386",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2000": {
+    "id": "openEuler-SA-2022-2000",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2000",
+    "title": "An update for dbus is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.(CVE-2022-42010)\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.(CVE-2022-42011)\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.(CVE-2022-42012)",
+    "cves": [
+      {
+        "id": "CVE-2022-42012",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1379": {
+    "id": "openEuler-SA-2023-1379",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1379",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.(CVE-2023-3141)\r\n\r\nAn out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.(CVE-2023-3268)\r\n\r\nAn issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.(CVE-2023-35788)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.(CVE-2023-35824)",
+    "cves": [
+      {
+        "id": "CVE-2023-35824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1530": {
+    "id": "openEuler-SA-2024-1530",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1530",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1103": {
+    "id": "openEuler-SA-2024-1103",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1103",
+    "title": "An update for mysql-connector-java is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Official JDBC driver for MySQL.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).(CVE-2021-2471)\r\n\r\nVulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).(CVE-2022-21363)",
+    "cves": [
+      {
+        "id": "CVE-2022-21363",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21363",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1878": {
+    "id": "openEuler-SA-2022-1878",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1878",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nCVE-2022-32743 samba: Validated dnsHostname write right needs to be implemented\nhttps://bugzilla.samba.org/show_bug.cgi?id=14833(CVE-2022-32743)",
+    "cves": [
+      {
+        "id": "CVE-2022-32743",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32743",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1024": {
+    "id": "openEuler-SA-2021-1024",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1024",
+    "title": "An update for p11-kit is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Provides a way to load and enumerate PKCS#11 modules. Provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable. Also solves problems with coordinating the use of PKCS#11 by different components or libraries living in the same process.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nAn issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.(CVE-2020-29361)\\r\\n\\r\\n\nAn issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.(CVE-2020-29362)\\r\\n\\r\\n\nAn issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.(CVE-2020-29363)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-29363",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29363",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1755": {
+    "id": "openEuler-SA-2024-1755",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1755",
+    "title": "An update for aspell is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "GNU Aspell is a spell checker intended to replace Ispell. It can be used as a library and spell checker. Its main feature is that it provides much better suggestions than other inspectors, including Ispell and Microsoft Word. It also has many other technical enhancements to Ispell, such as the use of shared memory to store dictionaries, and intelligent processing of personal dictionaries when multiple Aspell processes are opened at one time.\r\n\r\nSecurity Fix(es):\r\n\r\nobjstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).(CVE-2019-25051)",
+    "cves": [
+      {
+        "id": "CVE-2019-25051",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25051",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1903": {
+    "id": "openEuler-SA-2022-1903",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1903",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.(CVE-2022-1115)",
+    "cves": [
+      {
+        "id": "CVE-2022-1115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1457": {
+    "id": "openEuler-SA-2023-1457",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1457",
+    "title": "An update for python-certifi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Certifi provides Mozilla carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. It has been extracted from the Requests project\r\n\r\nSecurity Fix(es):\r\n\r\nCertifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from \"TrustCor\" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.(CVE-2022-23491)\r\n\r\nCertifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.(CVE-2023-37920)",
+    "cves": [
+      {
+        "id": "CVE-2023-37920",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37920",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1036": {
+    "id": "openEuler-SA-2024-1036",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1036",
+    "title": "An update for jersey is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Jersey is the open source JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. %if\r\n\r\nSecurity Fix(es):\r\n\r\nEclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.(CVE-2021-28168)",
+    "cves": [
+      {
+        "id": "CVE-2021-28168",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1025": {
+    "id": "openEuler-SA-2021-1025",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1025",
+    "title": "An update for luajit is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "LuaJIT is a Just-In-Time Compiler (JIT) for the Lua programming language. Lua is a powerful, dynamic and light-weight programming language. It may be embedded or used as a general-purpose, stand-alone language.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nLuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.(CVE-2020-15890)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-15890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2090": {
+    "id": "openEuler-SA-2022-2090",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2090",
+    "title": "An update for libvncserver is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "libvncserver is a set of programs using the RFB (Remote Frame Buffer) protocol. They are designed to \"export\" a frame buffer via net: you set up a server and can connect to it via VNC viewers. If the server supports WebSockets (which LibVNCServer does), you can also connect using an in-browser VNC viewer like noVNC. It is already in wide use for administration, but it is not that easy to program a server yourself.\r\n\r\nSecurity Fix(es):\r\n\r\nlibvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().(CVE-2020-29260)",
+    "cves": [
+      {
+        "id": "CVE-2020-29260",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29260",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1492": {
+    "id": "openEuler-SA-2022-1492",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1492",
+    "title": "An update for nss is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Network Security Services.\r\n\r\nSecurity Fix(es):\r\n\r\nNSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.(CVE-2021-43527)",
+    "cves": [
+      {
+        "id": "CVE-2021-43527",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43527",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1677": {
+    "id": "openEuler-SA-2023-1677",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1677",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)(CVE-2023-40217)",
+    "cves": [
+      {
+        "id": "CVE-2023-40217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1844": {
+    "id": "openEuler-SA-2024-1844",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1844",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nThe iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n(CVE-2024-2961)",
+    "cves": [
+      {
+        "id": "CVE-2024-2961",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1830": {
+    "id": "openEuler-SA-2024-1830",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1830",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. \r\n\r\nSubstitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag \"UnsafePrefixStat\" can be used to opt back in once ensuring the substitution is appropriately constrained.(CVE-2024-38475)\r\n\r\nPotential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-39573)",
+    "cves": [
+      {
+        "id": "CVE-2024-39573",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39573",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1266": {
+    "id": "openEuler-SA-2023-1266",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1266",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.(CVE-2023-1990)\r\n\r\nThe Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.(CVE-2023-30772)\n\nThe Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.(CVE-2023-1998)",
+    "cves": [
+      {
+        "id": "CVE-2023-1998",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1998",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1356": {
+    "id": "openEuler-SA-2021-1356",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1356",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3778)\r\n\r\nvim is vulnerable to Use After Free(CVE-2021-3796)",
+    "cves": [
+      {
+        "id": "CVE-2021-3796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3796",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1779": {
+    "id": "openEuler-SA-2023-1779",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1779",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().(CVE-2022-44033)\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.(CVE-2022-45919)\r\n\r\nAn issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.(CVE-2023-31083)\r\n\r\nAn issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.(CVE-2023-31085)\r\n\r\nClosing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable.\nA (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device.(CVE-2023-34324)\r\n\r\nA flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194)\r\n\r\nAn issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.(CVE-2023-45863)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\r\n\r\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\r\n\r\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\r\n\r\n(CVE-2023-5717)",
+    "cves": [
+      {
+        "id": "CVE-2023-5717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1888": {
+    "id": "openEuler-SA-2023-1888",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1888",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in setup_async_work in the KSMBD implementation of the in-kernel samba server and CIFS in the Linux kernel. This issue could allow an attacker to crash the system by accessing freed work.(CVE-2023-1193)",
+    "cves": [
+      {
+        "id": "CVE-2023-1193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1193",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1689": {
+    "id": "openEuler-SA-2023-1689",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1689",
+    "title": "An update for bind is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.\nThis issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.(CVE-2023-3341)",
+    "cves": [
+      {
+        "id": "CVE-2023-3341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3341",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1057": {
+    "id": "openEuler-SA-2021-1057",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1057",
+    "title": "An update for luajit is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "LuaJIT is a Just-In-Time Compiler (JIT) for the Lua programming language. Lua is a powerful, dynamic and light-weight programming language. It may be embedded or used as a general-purpose, stand-alone language.\r\n\r\nSecurity Fix(es):\r\n\r\nLuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run in lj_err.c.(CVE-2020-24372)",
+    "cves": [
+      {
+        "id": "CVE-2020-24372",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24372",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1286": {
+    "id": "openEuler-SA-2021-1286",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1286",
+    "title": "An update for libexif is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.(CVE-2020-13113)\r\n\r\nAn issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.(CVE-2020-13114)",
+    "cves": [
+      {
+        "id": "CVE-2020-13114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1866": {
+    "id": "openEuler-SA-2024-1866",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1866",
+    "title": "An update for python-pip is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        20.2.2 Release:        4 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:        https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch3:         remove-existing-dist-only-if-path-conflicts.patch Patch6000:      dummy-certifi.patch Patch6001:      backport-CVE-2021-3572.patch\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\r\n\r\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
+    "cves": [
+      {
+        "id": "CVE-2024-37891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2115": {
+    "id": "openEuler-SA-2022-2115",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2115",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".(CVE-2022-41716)",
+    "cves": [
+      {
+        "id": "CVE-2022-41716",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41716",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1479": {
+    "id": "openEuler-SA-2024-1479",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1479",
+    "title": "An update for apache-mime4j is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
+    "cves": [
+      {
+        "id": "CVE-2024-21742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1317": {
+    "id": "openEuler-SA-2021-1317",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1317",
+    "title": "An update for ceph is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account for the use of \\r as a header separator, thus a new flaw has been created.(CVE-2021-3524)\r\n\r\nA flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.(CVE-2020-1760)\r\n\r\nA flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.(CVE-2020-10753)\n\nUser credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even admin users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.(CVE-2020-27781)",
+    "cves": [
+      {
+        "id": "CVE-2020-27781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27781",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1694": {
+    "id": "openEuler-SA-2022-1694",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1694",
+    "title": "An update for protobuf is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data. You can find protobuf's documentation on the Google Developers site.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.(CVE-2021-22569)",
+    "cves": [
+      {
+        "id": "CVE-2021-22569",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1467": {
+    "id": "openEuler-SA-2023-1467",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1467",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21255)\r\n\r\n(CVE-2023-2163)\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32248)\r\n\r\nVUL-0: CVE-2023-32255: kernel: Linux Kernel ksmbd Session Setup Memory Leak Denial-of-Service Vulnerability(CVE-2023-32255)\r\n\r\nA use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information.(CVE-2023-3567)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\r\n\r\n(CVE-2023-3609)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nFlaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.\r\n\r\nWe recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.\r\n\r\n(CVE-2023-3610)\r\n\r\nAn out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\r\n\r\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\r\n\r\n(CVE-2023-3611)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\r\n\r\n(CVE-2023-3776)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.(CVE-2023-38426)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.(CVE-2023-38428)",
+    "cves": [
+      {
+        "id": "CVE-2023-38428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2128": {
+    "id": "openEuler-SA-2022-2128",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2128",
+    "title": "An update for proftpd is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility.\r\n\r\nSecurity Fix(es):\r\n\r\nmod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.(CVE-2021-46854)",
+    "cves": [
+      {
+        "id": "CVE-2021-46854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46854",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1284": {
+    "id": "openEuler-SA-2024-1284",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1284",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix use-after-free in shinker's callback\r\n\r\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\r\n\r\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\r\n\r\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n  Read of size 8 at addr ffff356ed50e50f0 by task bash/478\r\n\r\n  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   zap_page_range_single+0x470/0x4b8\n   binder_alloc_free_page+0x608/0xadc\n   __list_lru_walk_one+0x130/0x3b0\n   list_lru_walk_node+0xc4/0x22c\n   binder_shrink_scan+0x108/0x1dc\n   shrinker_debugfs_scan_write+0x2b4/0x500\n   full_proxy_write+0xd4/0x140\n   vfs_write+0x1ac/0x758\n   ksys_write+0xf0/0x1dc\n   __arm64_sys_write+0x6c/0x9c\r\n\r\n  Allocated by task 492:\n   kmem_cache_alloc+0x130/0x368\n   vm_area_alloc+0x2c/0x190\n   mmap_region+0x258/0x18bc\n   do_mmap+0x694/0xa60\n   vm_mmap_pgoff+0x170/0x29c\n   ksys_mmap_pgoff+0x290/0x3a0\n   __arm64_sys_mmap+0xcc/0x144\r\n\r\n  Freed by task 491:\n   kmem_cache_free+0x17c/0x3c8\n   vm_area_free_rcu_cb+0x74/0x98\n   rcu_core+0xa38/0x26d4\n   rcu_core_si+0x10/0x1c\n   __do_softirq+0x2fc/0xd24\r\n\r\n  Last potentially related work creation:\n   __call_rcu_common.constprop.0+0x6c/0xba0\n   call_rcu+0x10/0x1c\n   vm_area_free+0x18/0x24\n   remove_vma+0xe4/0x118\n   do_vmi_align_munmap.isra.0+0x718/0xb5c\n   do_vmi_munmap+0xdc/0x1fc\n   __vm_munmap+0x10c/0x278\n   __arm64_sys_munmap+0x58/0x7c\r\n\r\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.(CVE-2023-52438)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio: Fix use-after-free in uio_open\r\n\r\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\r\n\r\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\r\n\r\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.(CVE-2023-52439)\r\n\r\nNULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\r\n\r\nThis issue affects Linux kernel: v2.6.12-rc2.\r\n\r\n(CVE-2024-22099)\r\n\r\nIn btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.(CVE-2024-23850)\r\n\r\ncopy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.(CVE-2024-23851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between async notify and socket close\r\n\r\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\r\n\r\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\r\n\r\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.(CVE-2024-26583)",
+    "cves": [
+      {
+        "id": "CVE-2024-26583",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1793": {
+    "id": "openEuler-SA-2023-1793",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1793",
+    "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.(CVE-2023-38471)\r\n\r\nA vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.(CVE-2023-38472)\r\n\r\nA vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.(CVE-2023-38473)",
+    "cves": [
+      {
+        "id": "CVE-2023-38473",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38473",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1523": {
+    "id": "openEuler-SA-2023-1523",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1523",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. QEMU has two operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including one or several processors and various peripherals. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\n\nSecurity Fix(es):\n\nA flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.(CVE-2023-3180)\n\nThe async nature of the hot-unplug enables an easy to reproduce race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged (or the ACPI unplug has been acked by the guest?). The guest can use this time window to, at least, trigger an assertion.(CVE-2023-3301)",
+    "cves": [
+      {
+        "id": "CVE-2023-3301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3301",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1983": {
+    "id": "openEuler-SA-2023-1983",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1983",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.(CVE-2021-41136)",
+    "cves": [
+      {
+        "id": "CVE-2021-41136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1257": {
+    "id": "openEuler-SA-2024-1257",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1257",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\r\n\r\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)",
+    "cves": [
+      {
+        "id": "CVE-2024-26595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1757": {
+    "id": "openEuler-SA-2022-1757",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1757",
+    "title": "An update for open-iscsi is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Open-iSCSI project is a high-performance, transport independent, multi-platform implementation of RFC3720 iSCSI.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. However, the length of this offset is not checked; therefore, for large values of the Urgent pointer bytes, the data pointer can point to memory that is way beyond the data buffer in uip_process in uip.c.(CVE-2020-17437)",
+    "cves": [
+      {
+        "id": "CVE-2020-17437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17437",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1558": {
+    "id": "openEuler-SA-2022-1558",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1558",
+    "title": "An update for gnulib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Gnulib is a central location for common GNU code, intended to be shared among GNU packages. It can be used to improve portability and other functionality in your programs.\r\n\r\nSecurity Fix(es):\r\n\r\nThe convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\\0' character during %f processing.(CVE-2018-17942)",
+    "cves": [
+      {
+        "id": "CVE-2018-17942",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17942",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1065": {
+    "id": "openEuler-SA-2024-1065",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1065",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1082": {
+    "id": "openEuler-SA-2024-1082",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1082",
+    "title": "An update for python-paramiko is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is a library for making SSH2 connections (client or server). Emphasis is on using SSH2 as an alternative to SSL for making secure connections between python scripts.  All major ciphers and hash methods are supported.  SFTP client and server mode are both supported too.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1338": {
+    "id": "openEuler-SA-2024-1338",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1338",
+    "title": "An update for nodejs-qs is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.\r\n\r\nSecurity Fix(es):\r\n\r\nqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).(CVE-2022-24999)",
+    "cves": [
+      {
+        "id": "CVE-2022-24999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1146": {
+    "id": "openEuler-SA-2021-1146",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1146",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.(CVE-2020-35655)\r\n\r\nPillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.(CVE-2021-27921)\r\n\r\nPillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.(CVE-2021-27922)\r\n\r\nPillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.(CVE-2021-27923)",
+    "cves": [
+      {
+        "id": "CVE-2021-27923",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1432": {
+    "id": "openEuler-SA-2024-1432",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1432",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.(CVE-2024-24784)",
+    "cves": [
+      {
+        "id": "CVE-2024-24784",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24784",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1956": {
+    "id": "openEuler-SA-2022-1956",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1956",
+    "title": "An update for log4j is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nApache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.(CVE-2021-45105)\r\n\r\nApache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.(CVE-2021-44832)",
+    "cves": [
+      {
+        "id": "CVE-2021-44832",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1549": {
+    "id": "openEuler-SA-2022-1549",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1549",
+    "title": "An update for perl-Encode is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Character encodings in Perl.\r\n\r\nSecurity Fix(es):\r\n\r\nEncode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.(CVE-2021-36770)",
+    "cves": [
+      {
+        "id": "CVE-2021-36770",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36770",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1038": {
+    "id": "openEuler-SA-2023-1038",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1038",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in the Linux kernel?s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-3424)\r\n\r\nA flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.(CVE-2022-4662)\r\n\r\nAn issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.(CVE-2022-47946)\n\nA flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system.(CVE-2022-4842)",
+    "cves": [
+      {
+        "id": "CVE-2022-4842",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4842",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1836": {
+    "id": "openEuler-SA-2023-1836",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1836",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21509)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.38 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21515)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21517)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21522)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21525)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21526)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21527)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21528)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21529)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21530)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21531)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21534)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21537)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21538)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L).(CVE-2022-21539)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21547)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21553)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21569)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.39 and prior and 8.0.29 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21592)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21594)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21599)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21604)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21608)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21611)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.39 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21617)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21625)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21632)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21633)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).(CVE-2022-21635)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21637)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21638)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21640)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21641)\r\n\r\nWhen doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.(CVE-2022-32221)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39400)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39408)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-39410)\r\n\r\nA vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.(CVE-2022-43551)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21836)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21863)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21864)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21865)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21867)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21868)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21869)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21870)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21871)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21872)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21873)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21874)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.31 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H).(CVE-2023-21875)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21876)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21877)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21878)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21879)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21880)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21881)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21882)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21883)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21887)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21911)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 5.7.41 and prior and  8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21912)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21913)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21917)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21919)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21920)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2023-21929)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21933)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21935)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21940)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21945)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21946)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21947)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21953)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21955)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21962)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling).  Supported versions that are affected are 5.7.40 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21963)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21966)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21972)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21976)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21977)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).  Supported versions that are affected are 5.7.41 and prior and  8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).(CVE-2023-21980)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21982)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22005)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 5.7.41 and prior and  8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22007)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22008)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.42 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22015)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.42 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22026)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 5.7.43 and prior and  8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22028)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22032)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22033)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22038)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22046)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22048)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).  Supported versions that are affected are 5.7.42 and prior and  8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).(CVE-2023-22053)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22054)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22056)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22057)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22058)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22059)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22064)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22065)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22066)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22068)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22070)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22078)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22079)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22084)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22092)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22097)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22103)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22104)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22110)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22111)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).  Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22112)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22113)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22114)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22115)",
+    "cves": [
+      {
+        "id": "CVE-2023-22115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22115",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1216": {
+    "id": "openEuler-SA-2023-1216",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1216",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea(CVE-2023-1611)\r\n\r\nA flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1670)\r\n\r\nA use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.(CVE-2023-1859)",
+    "cves": [
+      {
+        "id": "CVE-2023-1859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1172": {
+    "id": "openEuler-SA-2024-1172",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1172",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1711": {
+    "id": "openEuler-SA-2022-1711",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1711",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.(CVE-2022-29170)",
+    "cves": [
+      {
+        "id": "CVE-2022-29170",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29170",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1254": {
+    "id": "openEuler-SA-2024-1254",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1254",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn inefficient regular expression complexity flaw was found in the Truncator.words function and truncatewords_html filter of Django. This issue may allow an attacker to use a suitably crafted string to cause a denial of service.(CVE-2024-27351)",
+    "cves": [
+      {
+        "id": "CVE-2024-27351",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27351",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1913": {
+    "id": "openEuler-SA-2022-1913",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1913",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX\nsystems\r\n\r\nSecurity Fix(es):\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0360.(CVE-2022-3099)",
+    "cves": [
+      {
+        "id": "CVE-2022-3099",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3099",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1536": {
+    "id": "openEuler-SA-2024-1536",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1536",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ncreate_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.(CVE-2024-25739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: sii902x: Fix probing race issue\r\n\r\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\r\n\r\n[   53.271356]  sii902x_get_edid+0x34/0x70 [sii902x]\n[   53.276066]  sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[   53.281381]  drm_bridge_get_edid+0x20/0x34 [drm]\n[   53.286305]  drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[   53.292955]  drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[   53.300510]  drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[   53.305958]  __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[   53.313611]  drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[   53.320039]  drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[   53.326401]  drm_client_register+0x5c/0xa0 [drm]\n[   53.331216]  drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[   53.336881]  tidss_probe+0x128/0x264 [tidss]\n[   53.341174]  platform_probe+0x68/0xc4\n[   53.344841]  really_probe+0x188/0x3c4\n[   53.348501]  __driver_probe_device+0x7c/0x16c\n[   53.352854]  driver_probe_device+0x3c/0x10c\n[   53.357033]  __device_attach_driver+0xbc/0x158\n[   53.361472]  bus_for_each_drv+0x88/0xe8\n[   53.365303]  __device_attach+0xa0/0x1b4\n[   53.369135]  device_initial_probe+0x14/0x20\n[   53.373314]  bus_probe_device+0xb0/0xb4\n[   53.377145]  deferred_probe_work_func+0xcc/0x124\n[   53.381757]  process_one_work+0x1f0/0x518\n[   53.385770]  worker_thread+0x1e8/0x3dc\n[   53.389519]  kthread+0x11c/0x120\n[   53.392750]  ret_from_fork+0x10/0x20\r\n\r\nThe issue here is as follows:\r\n\r\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n  DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n  platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n  deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n  called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n  However, the sii902x driver has not set up the i2c part yet, leading\n  to the crash.\r\n\r\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().(CVE-2024-26607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: make sure init the accept_queue's spinlocks once\r\n\r\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS:  00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n<IRQ>\n  _raw_spin_unlock (kernel/locking/spinlock.c:186)\n  inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n  inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n  tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n  tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n  __netif_receive_skb_one_core (net/core/dev.c:5529)\n  process_backlog (./include/linux/rcupdate.h:779)\n  __napi_poll (net/core/dev.c:6533)\n  net_rx_action (net/core/dev.c:6604)\n  __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n  do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n  __local_bh_enable_ip (kernel/softirq.c:381)\n  __dev_queue_xmit (net/core/dev.c:4374)\n  ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n  __ip_queue_xmit (net/ipv4/ip_output.c:535)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n  tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n  tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n  __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n  release_sock (net/core/sock.c:3536)\n  inet_wait_for_connect (net/ipv4/af_inet.c:609)\n  __inet_stream_connect (net/ipv4/af_inet.c:702)\n  inet_stream_connect (net/ipv4/af_inet.c:748)\n  __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n  __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n  do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n  RIP: 0033:0x7fa10ff05a3d\n  Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n  c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n  RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n  RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n  RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n  RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n  R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n</TASK>\r\n\r\nThe issue triggering process is analyzed as follows:\nThread A                                       Thread B\ntcp_v4_rcv\t//receive ack TCP packet       inet_shutdown\n  tcp_check_req                                  tcp_disconnect //disconnect sock\n  ...                                              tcp_set_state(sk, TCP_CLOSE)\n    inet_csk_complete_hashdance                ...\n      inet_csk_reqsk_queue_add         \n---truncated---(CVE-2024-26614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\r\n\r\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\r\n\r\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\r\n\r\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\r\n\r\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\r\n\r\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\r\n\r\nCall trace:\n[  654.559417] task:modprobe        state:D stack:    0 pid: 2321 ppid:  1091 flags:0x00004002\n[  654.568030] Call Trace:\n[  654.571221]  <TASK>\n[  654.573790]  __schedule+0x2d6/0x960\n[  654.577733]  schedule+0x69/0xf0\n[  654.581214]  schedule_timeout+0x87/0x140\n[  654.585463]  ? __bpf_trace_tick_stop+0x20/0x20\n[  654.590291]  msleep+0x2d/0x40\n[  654.593625]  napi_disable+0x2b/0x80\n[  654.597437]  netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[  654.603935]  rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[  654.611101]  ? do_wait_intr+0xb0/0xb0\n[  654.615753]  netvsc_remove+0x7c/0x120 [hv_netvsc]\n[  654.621675]  vmbus_remove+0x27/0x40 [hv_vmbus](CVE-2024-26698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Increase buffer size in afs_update_volume_status()\r\n\r\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()](CVE-2024-26736)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn't use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac->ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fsl-qdma: init irq after reg initialization\r\n\r\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\r\n\r\n  Call trace:\n   fsl_qdma_queue_handler+0xf8/0x3e8\n   __handle_irq_event_percpu+0x78/0x2b0\n   handle_irq_event_percpu+0x1c/0x68\n   handle_irq_event+0x44/0x78\n   handle_fasteoi_irq+0xc8/0x178\n   generic_handle_irq+0x24/0x38\n   __handle_domain_irq+0x90/0x100\n   gic_handle_irq+0x5c/0xb8\n   el1_irq+0xb8/0x180\n   _raw_spin_unlock_irqrestore+0x14/0x40\n   __setup_irq+0x4bc/0x798\n   request_threaded_irq+0xd8/0x190\n   devm_request_threaded_irq+0x74/0xe8\n   fsl_qdma_probe+0x4d4/0xca8\n   platform_drv_probe+0x50/0xa0\n   really_probe+0xe0/0x3f8\n   driver_probe_device+0x64/0x130\n   device_driver_attach+0x6c/0x78\n   __driver_attach+0xbc/0x158\n   bus_for_each_dev+0x5c/0x98\n   driver_attach+0x20/0x28\n   bus_add_driver+0x158/0x220\n   driver_register+0x60/0x110\n   __platform_driver_register+0x44/0x50\n   fsl_qdma_driver_init+0x18/0x20\n   do_one_initcall+0x48/0x258\n   kernel_init_freeable+0x1a4/0x23c\n   kernel_init+0x10/0xf8\n   ret_from_fork+0x10/0x18(CVE-2024-26788)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix stackmap overflow check on 32-bit arches\r\n\r\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\r\n\r\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.(CVE-2024-26883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\r\n\r\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\r\n\r\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.(CVE-2024-26885)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)",
+    "cves": [
+      {
+        "id": "CVE-2024-27437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1708": {
+    "id": "openEuler-SA-2023-1708",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1708",
+    "title": "An update for libX11 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Core X11 protocol client library.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.(CVE-2023-43785)\r\n\r\nA vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.(CVE-2023-43786)\r\n\r\nA vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.(CVE-2023-43787)",
+    "cves": [
+      {
+        "id": "CVE-2023-43787",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43787",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1842": {
+    "id": "openEuler-SA-2022-1842",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1842",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.(CVE-2022-36879)",
+    "cves": [
+      {
+        "id": "CVE-2022-36879",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36879",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1191": {
+    "id": "openEuler-SA-2021-1191",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1191",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-3416)\r\n\r\nThe patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.(CVE-2021-3409)\r\n\r\nA use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.(CVE-2021-3392)\r\n\r\nQEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.(CVE-2020-25085)",
+    "cves": [
+      {
+        "id": "CVE-2020-25085",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25085",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1925": {
+    "id": "openEuler-SA-2022-1925",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1925",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow was found in the Linux kernel s LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability.(CVE-2022-2991)\n\nA vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().(CVE-2020-27784)\n\nAn issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.(CVE-2022-39189)\n\nFound Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn t check the value of pixclock , so it may cause a divide by zero error.(CVE-2022-3061)\n\nAn issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.(CVE-2022-2663)\n\nAn issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.(CVE-2022-39842)\n\nAn issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.(CVE-2022-39188)",
+    "cves": [
+      {
+        "id": "CVE-2022-39188",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39188",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1224": {
+    "id": "openEuler-SA-2023-1224",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1224",
+    "title": "An update for json-smart is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Json-smart is a performance focused, JSON processor lib.\r\n\r\nSecurity Fix(es):\r\n\r\n[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.(CVE-2023-1370)",
+    "cves": [
+      {
+        "id": "CVE-2023-1370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1945": {
+    "id": "openEuler-SA-2023-1945",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1945",
+    "title": "An update for strongswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nstrongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.(CVE-2023-41913)",
+    "cves": [
+      {
+        "id": "CVE-2023-41913",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41913",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1633": {
+    "id": "openEuler-SA-2023-1633",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1633",
+    "title": "An update for rubygem-activesupport is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nAn insecure temporary file vulnerability was found in activesupport rubygem. Contents that will be encrypted are written to a temporary file that has the user’s current umask settings, possibly leading to information disclosure by other users on the same system.(CVE-2023-38037)",
+    "cves": [
+      {
+        "id": "CVE-2023-38037",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38037",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1675": {
+    "id": "openEuler-SA-2023-1675",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1675",
+    "title": "An update for giflib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\ngiflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.(CVE-2023-39742)",
+    "cves": [
+      {
+        "id": "CVE-2023-39742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1381": {
+    "id": "openEuler-SA-2021-1381",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1381",
+    "title": "An update for PackageKit is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distro, cross-architecture API.\r\n\r\nSecurity Fix(es):\r\n\r\nPackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own.(CVE-2020-16121)",
+    "cves": [
+      {
+        "id": "CVE-2020-16121",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16121",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1284": {
+    "id": "openEuler-SA-2021-1284",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1284",
+    "title": "An update for python-pip is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity.(CVE-2021-3572)",
+    "cves": [
+      {
+        "id": "CVE-2021-3572",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3572",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1708": {
+    "id": "openEuler-SA-2024-1708",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1708",
+    "title": "An update for rubygem-actionpack is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.(CVE-2024-28103)",
+    "cves": [
+      {
+        "id": "CVE-2024-28103",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28103",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1203": {
+    "id": "openEuler-SA-2024-1203",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1203",
+    "title": "An update for rust is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.(CVE-2024-24575)\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1350": {
+    "id": "openEuler-SA-2021-1350",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1350",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-24511)\r\n\r\nObservable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-24512)",
+    "cves": [
+      {
+        "id": "CVE-2020-24512",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24512",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1894": {
+    "id": "openEuler-SA-2022-1894",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1894",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the kernels implementation of proxied virtualized TPM devices.  On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d8e7007dc7c4d7c8366739bbcd3f5e51dcd470f(CVE-2022-2977)\r\n\r\nThe linux kernels driver for the \"ASIX AX88179_178A based USB 2.0/3.0 Gigabit Ethernet Devices\" contains multiple out-of-bounds reads and possible writes in the ax88179_rx_fixup() function. \r\n\r\n\nReferences:\r\n\r\nhttps://www.spinics.net/lists/stable/msg536418.html\r\n\r\nUpstream commit:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581(CVE-2022-2964)\r\n\r\nA race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.(CVE-2022-3028)",
+    "cves": [
+      {
+        "id": "CVE-2022-3028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1401": {
+    "id": "openEuler-SA-2021-1401",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1401",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.(CVE-2021-3737)\n\nThere s a flaw in urllib s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.(CVE-2021-3733)",
+    "cves": [
+      {
+        "id": "CVE-2021-3733",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2065": {
+    "id": "openEuler-SA-2022-2065",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2065",
+    "title": "An update for log4j12 is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "With log4j it is possible to enable logging at runtime without modifying the application binary.\r\n\r\nSecurity Fix(es):\r\n\r\nJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2021-4104)\r\n\r\nCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.(CVE-2022-23307)\r\n\r\nJMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2022-23302)",
+    "cves": [
+      {
+        "id": "CVE-2022-23302",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1041": {
+    "id": "openEuler-SA-2023-1041",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1041",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.(CVE-2022-4662)",
+    "cves": [
+      {
+        "id": "CVE-2022-4662",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4662",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1141": {
+    "id": "openEuler-SA-2021-1141",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1141",
+    "title": "An update for libqb is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "libqb provides high-performance, reusable features for client-server architecture, such as logging, tracing, inter-process communication (IPC), and polling.\r\n\r\nSecurity Fix(es):\r\n\r\nlibqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL.(CVE-2019-12779)",
+    "cves": [
+      {
+        "id": "CVE-2019-12779",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12779",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1409": {
+    "id": "openEuler-SA-2024-1409",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1409",
+    "title": "An update for libreswan is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.(CVE-2024-2357)",
+    "cves": [
+      {
+        "id": "CVE-2024-2357",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2357",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1932": {
+    "id": "openEuler-SA-2022-1932",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1932",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nlibexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.(CVE-2022-40674)",
+    "cves": [
+      {
+        "id": "CVE-2022-40674",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1609": {
+    "id": "openEuler-SA-2024-1609",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1609",
+    "title": "An update for ruby is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.(CVE-2024-27282)",
+    "cves": [
+      {
+        "id": "CVE-2024-27282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1525": {
+    "id": "openEuler-SA-2022-1525",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1525",
+    "title": "An update for strongswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nIn strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.(CVE-2021-45079)",
+    "cves": [
+      {
+        "id": "CVE-2021-45079",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45079",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1523": {
+    "id": "openEuler-SA-2022-1523",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1523",
+    "title": "An update for aide is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files.\r\n\r\nSecurity Fix(es):\r\n\r\nAIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.(CVE-2021-45417)",
+    "cves": [
+      {
+        "id": "CVE-2021-45417",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45417",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1984": {
+    "id": "openEuler-SA-2023-1984",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1984",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.(CVE-2023-46751)",
+    "cves": [
+      {
+        "id": "CVE-2023-46751",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46751",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1554": {
+    "id": "openEuler-SA-2024-1554",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1554",
+    "title": "An update for python-tqdm is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "tqdm derives from the Arabic word taqaddum which can mean \"progress\". Instantly  make your loops show a smart progress meter - just wrap any iterable with  tqdm(interable), and you are done!\r\n\r\nSecurity Fix(es):\r\n\r\ntqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-34062)",
+    "cves": [
+      {
+        "id": "CVE-2024-34062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34062",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1275": {
+    "id": "openEuler-SA-2023-1275",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1275",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.(CVE-2022-4382)\r\n\r\nThe Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\r\n\r\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.\r\n\r\n\n(CVE-2023-1998)\r\n\r\nThe specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2007)\r\n\r\nA null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.(CVE-2023-2166)\r\n\r\nA vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.(CVE-2023-2176)\r\n\r\nAn out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.(CVE-2023-2194)\r\n\r\nA denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.(CVE-2023-2269)\r\n\r\nA speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11(CVE-2023-0458)\r\n\r\nqfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.(CVE-2023-31436)",
+    "cves": [
+      {
+        "id": "CVE-2023-31436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1451": {
+    "id": "openEuler-SA-2023-1451",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1451",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.(CVE-2022-2127)\n\nAn infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.(CVE-2023-34966)\n\nA Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.(CVE-2023-34967)",
+    "cves": [
+      {
+        "id": "CVE-2023-34967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1920": {
+    "id": "openEuler-SA-2022-1920",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1920",
+    "title": "An update for wayland is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Wayland is a protocol for a compositor to talk to its clients as well as a C library implementation of that protocol. The compositor can be a standalone display server running on Linux kernel modesetting and evdev input devices, an X application, or a wayland client itself. The clients can be traditional applications, X servers (rootless or fullscreen) or other display servers. Part of the Wayland project is also the Weston reference implementation of a Wayland compositor. Weston can run as an X client or under Linux KMS and ships with a few demo clients. The Weston compositor is a minimal and fast compositor and is suitable for many embedded and mobile use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nAn internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time.(CVE-2021-3782)",
+    "cves": [
+      {
+        "id": "CVE-2021-3782",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3782",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1928": {
+    "id": "openEuler-SA-2022-1928",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1928",
+    "title": "An update for libconfuse is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "libConfuse is a configuration file parser library, licensed under the terms of the ISC license, and written in C. It supports sections and (lists of) values (strings, integers, floats, booleans or other sections), as well as some other features (such as single/double-quoted strings, environment variable expansion, functions and nested include statements). It makes it very easy to add configuration file capability to a program using a simple API. The goal of libConfuse is not to be the configuration file parser library with a gazillion of features. Instead, it aims to be easy to use and quick to integrate with your code.\r\n\r\nSecurity Fix(es):\r\n\r\ncfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.(CVE-2022-40320)",
+    "cves": [
+      {
+        "id": "CVE-2022-40320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40320",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1922": {
+    "id": "openEuler-SA-2023-1922",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1922",
+    "title": "An update for python-flask is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks.\r\n\r\nSecurity Fix(es):\r\n\r\nFlask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\r\n\r\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets `session.permanent = True`\n3. The application does not access or modify the session at any point during a request.\n4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.(CVE-2023-30861)",
+    "cves": [
+      {
+        "id": "CVE-2023-30861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1189": {
+    "id": "openEuler-SA-2021-1189",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1189",
+    "title": "An update for dnsmasq is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.(CVE-2021-3448)",
+    "cves": [
+      {
+        "id": "CVE-2021-3448",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3448",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1149": {
+    "id": "openEuler-SA-2024-1149",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1149",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2024-20919)\r\n\r\nDifficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.(CVE-2024-20921)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2024-20926)\r\n\r\nDifficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2024-20945)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20952)",
+    "cves": [
+      {
+        "id": "CVE-2024-20952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20952",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1620": {
+    "id": "openEuler-SA-2022-1620",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1620",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)(CVE-2020-15366)\r\n\r\nThe X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).(CVE-2021-3450)\r\n\r\nNode.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.(CVE-2021-44532)\r\n\r\nNode.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.(CVE-2021-44533)\r\n\r\nAccepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.(CVE-2021-44531)\r\n\r\nDue to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.(CVE-2022-21824)\r\n\r\nssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.(CVE-2021-27290)\r\n\r\nNode.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.(CVE-2021-22921)\r\n\r\n`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.(CVE-2021-39134)\r\n\r\n`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.(CVE-2021-39135)\r\n\r\nThe parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.(CVE-2021-22959)\r\n\r\nThe parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.(CVE-2021-22960)",
+    "cves": [
+      {
+        "id": "CVE-2021-22960",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22960",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1269": {
+    "id": "openEuler-SA-2021-1269",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1269",
+    "title": "An update for hadoop is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Apache Hadoop is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage.\r\n\r\nSecurity Fix(es):\r\n\r\nConnect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.(CVE-2019-17195)",
+    "cves": [
+      {
+        "id": "CVE-2019-17195",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17195",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1007": {
+    "id": "openEuler-SA-2021-1007",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1007",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nA flaw was found in ImageMagick in coders/hdr.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to ImageMagick 7.0.8-68.(CVE-2020-27762)\\r\\n\\r\\n\r\nA flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-69.(CVE-2020-27766)\\r\\n\\r\\n\r\nWritePALMImage() in /coders/palm.c used size_t casts in several areas of a calculation which could lead to values outside the range of representable type `unsigned long` undefined behavior when a crafted input file was processed by ImageMagick. The patch casts to `ssize_t` instead to avoid this issue. Red Hat Product Security marked the Severity as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to ImageMagick 7.0.9-0.(CVE-2020-27761)\\r\\n\\r\\n\r\nA flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of types `float` and `unsigned char`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27767)\\r\\n\\r\\n\r\nDue to a missing check for 0 value of `replace_extent`, it is possible for offset `p` to overflow in SubstituteString(), causing potential impact to application availability. This could be triggered by a crafted input file that is processed by ImageMagick. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27770)\\r\\n\\r\\n\r\nIn IntensityCompare() of /MagickCore/quantize.c, a double value was being casted to int and returned, which in some cases caused a value outside the range of type `int` to be returned. The flaw could be triggered by a crafted input file under certain conditions when processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27759)\\r\\n\\r\\n\r\nIn `GammaImage()` of /MagickCore/enhance.c, depending on the `gamma` value, it's possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability. The patch uses the `PerceptibleReciprocal()` to prevent the divide-by-zero from occurring. This flaw affects ImageMagick versions prior to ImageMagick 7.0.8-68.(CVE-2020-27760)\\r\\n\\r\\n\r\nA flaw was found in ImageMagick in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27765)\\r\\n\\r\\n\r\nImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.(CVE-2020-29599)\\r\\n\\r\\n\nIn /MagickCore/statistic.c, there are several areas in ApplyEvaluateOperator() where a size_t cast should have been a ssize_t cast, which causes out-of-range values under some circumstances when a crafted input file is processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 6.9.10-69.(CVE-2020-27764)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-27764",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27764",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1458": {
+    "id": "openEuler-SA-2023-1458",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1458",
+    "title": "An update for redis is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.(CVE-2022-24834)",
+    "cves": [
+      {
+        "id": "CVE-2022-24834",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24834",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1695": {
+    "id": "openEuler-SA-2023-1695",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1695",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).(CVE-2023-43115)",
+    "cves": [
+      {
+        "id": "CVE-2023-43115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43115",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1362": {
+    "id": "openEuler-SA-2021-1362",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1362",
+    "title": "An update for libgcrypt is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Libgcrypt is a general purpose cryptographic library originally based on code from GnuPG.\r\n\r\nSecurity Fix(es):\r\n\r\nThe ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.(CVE-2021-40528)",
+    "cves": [
+      {
+        "id": "CVE-2021-40528",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40528",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1217": {
+    "id": "openEuler-SA-2021-1217",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1217",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-x11-server in versions before 1.20.11. An integer underflow can occur in xserver which can lead to a local privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3472)",
+    "cves": [
+      {
+        "id": "CVE-2021-3472",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3472",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1441": {
+    "id": "openEuler-SA-2021-1441",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1441",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.(CVE-2021-42377)\r\n\r\nAn out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that(CVE-2021-42374)",
+    "cves": [
+      {
+        "id": "CVE-2021-42374",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42374",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1537": {
+    "id": "openEuler-SA-2022-1537",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1537",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nThe fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.(CVE-2022-23181)",
+    "cves": [
+      {
+        "id": "CVE-2022-23181",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23181",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1438": {
+    "id": "openEuler-SA-2024-1438",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1438",
+    "title": "An update for jpegoptim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Jpegoptim is an utility to optimize JPEG files. Provides lossless optimization (based on optimizing the Huffman tables) and \"lossy\" optimization based on setting maximum quality factor.\r\n\r\nSecurity Fix(es):\r\n\r\nJPEGOPTIM v1.4.7 was discovered to contain a segmentation violation which is caused by a READ memory access at jpegoptim.c.(CVE-2022-32325)",
+    "cves": [
+      {
+        "id": "CVE-2022-32325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32325",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1559": {
+    "id": "openEuler-SA-2023-1559",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1559",
+    "title": "An update for clamav is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.\r\n\r For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197)",
+    "cves": [
+      {
+        "id": "CVE-2023-20197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1003": {
+    "id": "openEuler-SA-2023-1003",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1003",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\n\r\n\r\nSecurity Fix(es):\r\n\r\nThe cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.(CVE-2021-33621)",
+    "cves": [
+      {
+        "id": "CVE-2021-33621",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33621",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1404": {
+    "id": "openEuler-SA-2024-1404",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1404",
+    "title": "An update for nodejs-qs is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.\r\n\r\nSecurity Fix(es):\r\n\r\nqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).(CVE-2022-24999)",
+    "cves": [
+      {
+        "id": "CVE-2022-24999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1513": {
+    "id": "openEuler-SA-2022-1513",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1513",
+    "title": "An update for log4j12 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "With log4j it is possible to enable logging at runtime without modifying the application binary.\r\n\r\nSecurity Fix(es):\r\n\r\nJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2021-4104)\r\n\r\nCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.(CVE-2022-23307)\r\n\r\nJMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2022-23302)",
+    "cves": [
+      {
+        "id": "CVE-2022-23302",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1685": {
+    "id": "openEuler-SA-2022-1685",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1685",
+    "title": "An update for ntfs-3g is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "NTFS-3G is a stable, open source, GPL licensed, POSIX, read/write NTFS driver for Linux and many other operating systems. It provides safe handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 NTFS file systems.\n\nSecurity Fix(es):\n\nntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions.(CVE-2021-46790)\n\nAn invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite.(CVE-2022-30783)\n\nA file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite.(CVE-2022-30785)\n\nAn integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through 2021.8.22 when using libfuse-lite.(CVE-2022-30787)\n\nA crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through 2021.8.22.(CVE-2022-30784)\n\nA crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through 2021.8.22.(CVE-2022-30786)\n\nA crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22.(CVE-2022-30788)\n\nA crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.(CVE-2022-30789)",
+    "cves": [
+      {
+        "id": "CVE-2022-30789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30789",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1872": {
+    "id": "openEuler-SA-2024-1872",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1872",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.(CVE-2024-6409)",
+    "cves": [
+      {
+        "id": "CVE-2024-6409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1486": {
+    "id": "openEuler-SA-2024-1486",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1486",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio_hv_generic: Fix another memory leak in error handling paths\r\n\r\nMemory allocated by 'vmbus_alloc_ring()' at the beginning of the probe\nfunction is never freed in the error handling path.\r\n\r\nAdd the missing 'vmbus_free_ring()' call.\r\n\r\nNote that it is already freed in the .remove function.(CVE-2021-47070)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nasix: fix uninit-value in asix_mdio_read()\r\n\r\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\r\n\r\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497(CVE-2021-47101)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nEDAC/thunderx: Fix possible out-of-bounds string access\r\n\r\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\r\n\r\n  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);\n        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n   ...\n   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\n   ...\n   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\r\n\r\n   ...\r\n\r\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\r\n\r\nChange it to strlcat().\r\n\r\n  [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: powermate - fix use-after-free in powermate_config_complete\r\n\r\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\r\n\r\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\r\n\r\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.(CVE-2023-52500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: assert requested protocol is valid\r\n\r\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\r\n\r\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\r\n\r\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Do not call scsi_done() from srp_abort()\r\n\r\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.(CVE-2023-52515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\r\n\r\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\r\n\r\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\r\n\r\nTrimmed-down lockdep splat:\r\n\r\n The existing dependency chain (in reverse order) is:\r\n\r\n               -> #2 (free_entries_lock){-.-.}-{2:2}:\n        _raw_spin_lock_irqsave+0x60/0x80\n        dma_entry_alloc+0x38/0x110\n        debug_dma_map_page+0x60/0xf8\n        dma_map_page_attrs+0x1e0/0x230\n        dma_map_single_attrs.constprop.0+0x6c/0xc8\n        geni_se_rx_dma_prep+0x40/0xcc\n        qcom_geni_serial_isr+0x310/0x510\n        __handle_irq_event_percpu+0x110/0x244\n        handle_irq_event_percpu+0x20/0x54\n        handle_irq_event+0x50/0x88\n        handle_fasteoi_irq+0xa4/0xcc\n        handle_irq_desc+0x28/0x40\n        generic_handle_domain_irq+0x24/0x30\n        gic_handle_irq+0xc4/0x148\n        do_interrupt_handler+0xa4/0xb0\n        el1_interrupt+0x34/0x64\n        el1h_64_irq_handler+0x18/0x24\n        el1h_64_irq+0x64/0x68\n        arch_local_irq_enable+0x4/0x8\n        ____do_softirq+0x18/0x24\n        ...\r\n\r\n               -> #1 (&port_lock_key){-.-.}-{2:2}:\n        _raw_spin_lock_irqsave+0x60/0x80\n        qcom_geni_serial_console_write+0x184/0x1dc\n        console_flush_all+0x344/0x454\n        console_unlock+0x94/0xf0\n        vprintk_emit+0x238/0x24c\n        vprintk_default+0x3c/0x48\n        vprintk+0xb4/0xbc\n        _printk+0x68/0x90\n        register_console+0x230/0x38c\n        uart_add_one_port+0x338/0x494\n        qcom_geni_serial_probe+0x390/0x424\n        platform_probe+0x70/0xc0\n        really_probe+0x148/0x280\n        __driver_probe_device+0xfc/0x114\n        driver_probe_device+0x44/0x100\n        __device_attach_driver+0x64/0xdc\n        bus_for_each_drv+0xb0/0xd8\n        __device_attach+0xe4/0x140\n        device_initial_probe+0x1c/0x28\n        bus_probe_device+0x44/0xb0\n        device_add+0x538/0x668\n        of_device_add+0x44/0x50\n        of_platform_device_create_pdata+0x94/0xc8\n        of_platform_bus_create+0x270/0x304\n        of_platform_populate+0xac/0xc4\n        devm_of_platform_populate+0x60/0xac\n        geni_se_probe+0x154/0x160\n        platform_probe+0x70/0xc0\n        ...\r\n\r\n               -> #0 (console_owner){-...}-{0:0}:\n        __lock_acquire+0xdf8/0x109c\n        lock_acquire+0x234/0x284\n        console_flush_all+0x330/0x454\n        console_unlock+0x94/0xf0\n        vprintk_emit+0x238/0x24c\n        vprintk_default+0x3c/0x48\n        vprintk+0xb4/0xbc\n        _printk+0x68/0x90\n        dma_entry_alloc+0xb4/0x110\n        debug_dma_map_sg+0xdc/0x2f8\n        __dma_map_sg_attrs+0xac/0xe4\n        dma_map_sgtable+0x30/0x4c\n        get_pages+0x1d4/0x1e4 [msm]\n        msm_gem_pin_pages_locked+0x38/0xac [msm]\n        msm_gem_pin_vma_locked+0x58/0x88 [msm]\n        msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n        drm_ioctl_kernel+0xe0/0x15c\n        drm_ioctl+0x2e8/0x3f4\n        vfs_ioctl+0x30/0x50\n        ...\r\n\r\n Chain exists of:\n   console_owner --> &port_lock_key --> free_entries_lock\r\n\r\n  Possible unsafe locking scenario:\r\n\r\n        CPU0                    CPU1\n        ----                    ----\n   lock(free_entries_lock);\n                                lock(&port_lock_key);\n                                lock(free_entries_lock);\n   lock(console_owner);\r\n\r\n                *** DEADLOCK ***\r\n\r\n Call trace:\n  dump_backtrace+0xb4/0xf0\n  show_stack+0x20/0x30\n  dump_stack_lvl+0x60/0x84\n  dump_stack+0x18/0x24\n  print_circular_bug+0x1cc/0x234\n  check_noncircular+0x78/0xac\n  __lock_acquire+0xdf8/0x109c\n  lock_acquire+0x234/0x284\n  console_flush_all+0x330/0x454\n  consol\n---truncated---(CVE-2023-52516)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix possible store tearing in neigh_periodic_work()\r\n\r\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\r\n\r\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\r\n\r\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().(CVE-2023-52522)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: fix potential key use-after-free\r\n\r\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().(CVE-2023-52530)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\r\n\r\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\r\n\r\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed.  And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\r\n\r\nSo use damon_destroy_target to free all the damon_regions and damon_target.\r\n\r\n    unreferenced object 0xffff888107c9a940 (size 64):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff  `...............\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079cc740 (size 56):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff888107c9ac40 (size 64):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff  ........x.v.....\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079ccc80 (size 56):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffff\n---truncated---(CVE-2023-52560)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\r\n\r\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\r\n\r\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.(CVE-2023-52561)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\r\n\r\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\r\n\r\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\r\n\r\n[konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\r\n\r\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\r\n\r\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\r\n\r\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\r\n\r\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\r\n\r\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30(CVE-2023-52568)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rds: Fix possible NULL-pointer dereference\r\n\r\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52573)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: use DEV_STATS_INC()\r\n\r\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\r\n\r\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\r\n\r\nHandles updates to dev->stats.tx_dropped while we are at it.\r\n\r\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: fix deadlock or deadcode of misusing dget()\r\n\r\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\r\n\r\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.(CVE-2023-52583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/ipoib: Fix mcast list locking\r\n\r\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\r\n\r\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)\n          &priv->multicast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(&priv->lock) |\n                                       |   spin_lock_irqsave(&priv->lock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  &priv->multicast_list, list)\n                                       |     list_del(&mcast->list);\n                                       |     list_add_tail(&mcast->list, &remove_list)\n                                       |   spin_unlock_irqrestore(&priv->lock, flags)\n          spin_lock_irq(&priv->lock)   |\n                                       |   ipoib_mcast_remove_list(&remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv->multicast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it's stack.)\r\n\r\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\r\n\r\ncrash> bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (&priv->mcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           &mcast->list\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (&priv->lock)     &priv->multicast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- <NMI exception stack> ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\r\n\r\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\r\n\r\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\r\n\r\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\r\n\r\ncrash> b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---(CVE-2023-52587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\r\n\r\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\r\n\r\nFound by a modified version of syzkaller.\r\n\r\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt(CVE-2023-52594)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rt2x00: restart beacon queue when hardware reset\r\n\r\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().(CVE-2023-52595)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: fix setting of fpc register\r\n\r\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\r\n\r\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\r\n\r\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\r\n\r\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.(CVE-2023-52597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ptrace: handle setting of fpc register correctly\r\n\r\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\r\n\r\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\r\n\r\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().(CVE-2023-52598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid online resizing failures due to oversized flex bg\r\n\r\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\r\n\r\n     mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n     mount $dev $dir\n     resize2fs $dev 16G\r\n\r\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n <TASK>\n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\r\n\r\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\r\n\r\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\r\n\r\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.(CVE-2023-52622)",
+    "cves": [
+      {
+        "id": "CVE-2023-52622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1452": {
+    "id": "openEuler-SA-2023-1452",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1452",
+    "title": "An update for samba is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.(CVE-2022-2127)\n\nA vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured \"server signing = required\" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.(CVE-2023-3347)\n\nAn infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.(CVE-2023-34966)\n\nA Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.(CVE-2023-34967)",
+    "cves": [
+      {
+        "id": "CVE-2023-34967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1729": {
+    "id": "openEuler-SA-2023-1729",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1729",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-42753)",
+    "cves": [
+      {
+        "id": "CVE-2023-42753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1640": {
+    "id": "openEuler-SA-2023-1640",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1640",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.(CVE-2022-48566)",
+    "cves": [
+      {
+        "id": "CVE-2022-48566",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1464": {
+    "id": "openEuler-SA-2023-1464",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1464",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960)\r\n\r\nIn doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.(CVE-2021-46143)\r\n\r\nlookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22825)\r\n\r\nnextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22826)\r\n\r\nstoreAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22827)",
+    "cves": [
+      {
+        "id": "CVE-2022-22827",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1972": {
+    "id": "openEuler-SA-2023-1972",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1972",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.\r\n\r\n(CVE-2022-47184)\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\r\n\r\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions\r\n\r\n\n(CVE-2023-33933)",
+    "cves": [
+      {
+        "id": "CVE-2023-33933",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33933",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1304": {
+    "id": "openEuler-SA-2023-1304",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1304",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.(CVE-2022-1280)",
+    "cves": [
+      {
+        "id": "CVE-2022-1280",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1280",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1145": {
+    "id": "openEuler-SA-2021-1145",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1145",
+    "title": "An update for rubygem-rails is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.(CVE-2020-8165)\n\nA client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorages S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.(CVE-2020-8162)",
+    "cves": [
+      {
+        "id": "CVE-2020-8162",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8162",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1148": {
+    "id": "openEuler-SA-2023-1148",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1148",
+    "title": "An update for emacs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Emacs is the extensible, customizable, self-documenting real-time display editor.At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing. And it is an entire ecosystem of functionality beyond text editing,including a project planner, mail and news reader, debugger interface, calendar, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.(CVE-2022-48339)\r\n\r\nAn issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.(CVE-2022-48338)\r\n\r\nGNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the \"etags -u *\" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.(CVE-2022-48337)",
+    "cves": [
+      {
+        "id": "CVE-2022-48337",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48337",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1294": {
+    "id": "openEuler-SA-2021-1294",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1294",
+    "title": "An update for p7zip is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "7za for Linux system to archive file as 7z file format\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive.(CVE-2017-17969)\r\n\r\nInsufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, allows remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.(CVE-2018-5996)\r\n\r\nIncorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.(CVE-2018-10115)\r\n\r\nA null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams in CPP/7zip/Archive/7z/7zIn.cpp, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files.(CVE-2016-9296)",
+    "cves": [
+      {
+        "id": "CVE-2016-9296",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9296",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1359": {
+    "id": "openEuler-SA-2024-1359",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1359",
+    "title": "An update for telnet is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. The package includes a remote login client program for telnet and a server daemon.\r\n\r\nSecurity Fix(es):\r\n\r\ntelnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028)",
+    "cves": [
+      {
+        "id": "CVE-2022-39028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1537": {
+    "id": "openEuler-SA-2023-1537",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1537",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.(CVE-2023-4128)\n\nA use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.(CVE-2023-4387)",
+    "cves": [
+      {
+        "id": "CVE-2023-4387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4387",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1480": {
+    "id": "openEuler-SA-2023-1480",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1480",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol.\r\n\r\nSecurity Fix(es):\r\n\r\nThe PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.(CVE-2023-38408)",
+    "cves": [
+      {
+        "id": "CVE-2023-38408",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1873": {
+    "id": "openEuler-SA-2022-1873",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1873",
+    "title": "An update for gdk-pixbuf2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "gdk is written in C but has been designed from the ground up to support a wide range of languages. It provide a complete set of widgets,and suitable for projects ranging from small one-off tools to complete application suites.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.(CVE-2021-46829)",
+    "cves": [
+      {
+        "id": "CVE-2021-46829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46829",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1566": {
+    "id": "openEuler-SA-2022-1566",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1566",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.(CVE-2022-0391)\r\n\r\nAn attacker could exploit this vulnerability to set up a malicious FTP server that could trick an FTP client into connecting back to a given IP address and port. This can cause the FTP client to scan the port.(CVE-2021-4189)",
+    "cves": [
+      {
+        "id": "CVE-2021-4189",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1054": {
+    "id": "openEuler-SA-2024-1054",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1054",
+    "title": "An update for metadata-extractor2 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Metadata Extractor is a straightforward Java library for reading metadata from image files.\r\n\r\nSecurity Fix(es):\r\n\r\nmetadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24613)\r\n\r\nWhen reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24614)",
+    "cves": [
+      {
+        "id": "CVE-2022-24614",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24614",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1004": {
+    "id": "openEuler-SA-2024-1004",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1004",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634)",
+    "cves": [
+      {
+        "id": "CVE-2022-23634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1855": {
+    "id": "openEuler-SA-2024-1855",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1855",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\r\n\r\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\r\n\r\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\r\n\r\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
+    "cves": [
+      {
+        "id": "CVE-2024-38477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1515": {
+    "id": "openEuler-SA-2024-1515",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1515",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it is on by default).(CVE-2024-32039)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 and have connections to servers using the `NSC` codec are vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`).(CVE-2024-32040)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by default, set `/bpp` or `/rfx` options instead.(CVE-2024-32041)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes (on by default, require server side support).(CVE-2024-32458)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available.(CVE-2024-32459)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or `/gfx` options). The workaround requires server side support.(CVE-2024-32460)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32658)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32659)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32660)",
+    "cves": [
+      {
+        "id": "CVE-2024-32660",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32660",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1440": {
+    "id": "openEuler-SA-2023-1440",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1440",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\n\nSecurity Fix(es):\n\nIn Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.(CVE-2023-36053)",
+    "cves": [
+      {
+        "id": "CVE-2023-36053",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36053",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1669": {
+    "id": "openEuler-SA-2023-1669",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1669",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.(CVE-2022-45887)\r\n\r\n\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n(CVE-2023-20588)\r\n\r\nIn multiple functions  of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21400)\r\n\r\nVUL-0: CVE-2023-32249: kernel: Linux Kernel ksmbd Multichannel Improper Authentication Session Hijack Vulnerability(CVE-2023-32249)\r\n\r\nVUL-0: CVE-2023-32251: kernel: Linux Kernel ksmbd Improper Restriction of Excessive Authentication Attempts Protection Bypass Vulnerability(CVE-2023-32251)\r\n\r\nVUL-0: CVE-2023-32253: kernel: Linux Kernel ksmbd Session Deadlock Denial-of-Service Vulnerability(CVE-2023-32253)\r\n\r\n** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team.(CVE-2023-4881)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\r\n\r\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\r\n\r\n(CVE-2023-4921)",
+    "cves": [
+      {
+        "id": "CVE-2023-32251",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32251",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-4921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1028": {
+    "id": "openEuler-SA-2023-1028",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1028",
+    "title": "An update for systemd is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system. \r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.(CVE-2022-4415)",
+    "cves": [
+      {
+        "id": "CVE-2022-4415",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1656": {
+    "id": "openEuler-SA-2024-1656",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1656",
+    "title": "An update for php is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\r\n\r\n(CVE-2024-3096)",
+    "cves": [
+      {
+        "id": "CVE-2024-3096",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1509": {
+    "id": "openEuler-SA-2024-1509",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1509",
+    "title": "An update for ignition is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1293": {
+    "id": "openEuler-SA-2024-1293",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1293",
+    "title": "An update for aops-zeus is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A host and user manager service which is the foundation of aops.\r\n\r\nSecurity Fix(es):\r\n\r\nIn aops-zeus software versions 1.2.0~1.4.1, there is a vulnerability in the plugin management command of the zeus/conf/constant file. Through this vulnerability, an attacker can implant arbitrary commands to be executed on the remote host, which may cause the remote host system to crash, suffering serious consequences of security threats and losses.(CVE-2024-24899)",
+    "cves": [
+      {
+        "id": "CVE-2024-24899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2155": {
+    "id": "openEuler-SA-2022-2155",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2155",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21624)",
+    "cves": [
+      {
+        "id": "CVE-2022-21624",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21624",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1066": {
+    "id": "openEuler-SA-2023-1066",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1066",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.(CVE-2023-0433)",
+    "cves": [
+      {
+        "id": "CVE-2023-0433",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0433",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1269": {
+    "id": "openEuler-SA-2024-1269",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1269",
+    "title": "An update for glusterfs is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over TCP/IP interconnect into one large parallel network filesystem. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility. It borrows a powerful concept called Translators from GNU Hurd kernel. Much of the code in GlusterFS is in user space and easily manageable.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.(CVE-2022-48340)",
+    "cves": [
+      {
+        "id": "CVE-2022-48340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1484": {
+    "id": "openEuler-SA-2024-1484",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1484",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: img-scb: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in functions img_i2c_xfer and img_i2c_init.\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36783)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkyber: fix out of bounds access when preempted\r\n\r\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx's than the first one (i.e., if\nctx->index_hw[hctx->type] > hctx->nr_ctx).\r\n\r\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\r\n\r\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type 'long unsigned int [128]'\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\r\n\r\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch.(CVE-2021-46984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: qcom: Put child node before return\r\n\r\nPut child node before return to fix potential reference count leak.\nGenerally, the reference count of child is incremented and decremented\nautomatically in the macro for_each_available_child_of_node() and should\nbe decremented manually if the loop is broken in loop body.(CVE-2021-47054)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init\r\n\r\nADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()\nbefore calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the\nvf2pf_lock is initialized in adf_dev_init(), which can fail and when it\nfail, the vf2pf_lock is either not initialized or destroyed, a subsequent\nuse of vf2pf_lock will cause issue.\nTo fix this issue, only set this flag if adf_dev_init() returns 0.\r\n\r\n[    7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0\n[    7.180345] Call Trace:\n[    7.182576]  mutex_lock+0xc9/0xd0\n[    7.183257]  adf_iov_putmsg+0x118/0x1a0 [intel_qat]\n[    7.183541]  adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]\n[    7.183834]  adf_dev_shutdown+0x172/0x2b0 [intel_qat]\n[    7.184127]  adf_probe+0x5e9/0x600 [qat_dh895xccvf](CVE-2021-47056)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Stop looking for coalesced MMIO zones if the bus is destroyed\r\n\r\nAbort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev()\nfails to allocate memory for the new instance of the bus.  If it can't\ninstantiate a new bus, unregister_dev() destroys all devices _except_ the\ntarget device.   But, it doesn't tell the caller that it obliterated the\nbus and invoked the destructor for all devices that were on the bus.  In\nthe coalesced MMIO case, this can result in a deleted list entry\ndereference due to attempting to continue iterating on coalesced_zones\nafter future entries (in the walk) have been deleted.\r\n\r\nOpportunistically add curly braces to the for-loop, which encompasses\nmany lines but sneaks by without braces due to the guts being a single\nif statement.(CVE-2021-47060)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU\r\n\r\nIf allocating a new instance of an I/O bus fails when unregistering a\ndevice, wait to destroy the device until after all readers are guaranteed\nto see the new null bus.  Destroying devices before the bus is nullified\ncould lead to use-after-free since readers expect the devices on their\nreference of the bus to remain valid.(CVE-2021-47061)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: bridge/panel: Cleanup connector on bridge detach\r\n\r\nIf we don't call drm_connector_cleanup() manually in\npanel_bridge_detach(), the connector will be cleaned up with the other\nDRM objects in the call to drm_mode_config_cleanup(). However, since our\ndrm_connector is devm-allocated, by the time drm_mode_config_cleanup()\nwill be called, our connector will be long gone. Therefore, the\nconnector must be cleaned up when the bridge is detached to avoid\nuse-after-free conditions.\r\n\r\nv2: Cleanup connector only if it was created\r\n\r\nv3: Add FIXME\r\n\r\nv4: (Use connector->dev) directly in if() block(CVE-2021-47063)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio_hv_generic: Fix a memory leak in error handling paths\r\n\r\nIf 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be\nupdated and 'hv_uio_cleanup()' in the error handling path will not be\nable to free the corresponding buffer.\r\n\r\nIn such a case, we need to free the buffer explicitly.(CVE-2021-47071)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme-loop: fix memory leak in nvme_loop_create_ctrl()\r\n\r\nWhen creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl()\nfails, the loop ctrl should be freed before jumping to the \"out\" label.(CVE-2021-47074)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qedf: Add pointer checks in qedf_update_link_speed()\r\n\r\nThe following trace was observed:\r\n\r\n [   14.042059] Call Trace:\n [   14.042061]  <IRQ>\n [   14.042068]  qedf_link_update+0x144/0x1f0 [qedf]\n [   14.042117]  qed_link_update+0x5c/0x80 [qed]\n [   14.042135]  qed_mcp_handle_link_change+0x2d2/0x410 [qed]\n [   14.042155]  ? qed_set_ptt+0x70/0x80 [qed]\n [   14.042170]  ? qed_set_ptt+0x70/0x80 [qed]\n [   14.042186]  ? qed_rd+0x13/0x40 [qed]\n [   14.042205]  qed_mcp_handle_events+0x437/0x690 [qed]\n [   14.042221]  ? qed_set_ptt+0x70/0x80 [qed]\n [   14.042239]  qed_int_sp_dpc+0x3a6/0x3e0 [qed]\n [   14.042245]  tasklet_action_common.isra.14+0x5a/0x100\n [   14.042250]  __do_softirq+0xe4/0x2f8\n [   14.042253]  irq_exit+0xf7/0x100\n [   14.042255]  do_IRQ+0x7f/0xd0\n [   14.042257]  common_interrupt+0xf/0xf\n [   14.042259]  </IRQ>\r\n\r\nAPI qedf_link_update() is getting called from QED but by that time\nshost_data is not initialised. This results in a NULL pointer dereference\nwhen we try to dereference shost_data while updating supported_speeds.\r\n\r\nAdd a NULL pointer check before dereferencing shost_data.(CVE-2021-47077)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/rxe: Clear all QP fields if creation failed\r\n\r\nrxe_qp_do_cleanup() relies on valid pointer values in QP for the properly\ncreated ones, but in case rxe_qp_from_init() failed it was filled with\ngarbage and caused tot the following error.\r\n\r\n  refcount_t: underflow; use-after-free.\n  WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n  Modules linked in:\n  CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28\n  Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55\n  RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286\n  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n  RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000\n  R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800\n  R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000\n  FS:  00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n   __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n   refcount_dec_and_test include/linux/refcount.h:333 [inline]\n   kref_put include/linux/kref.h:64 [inline]\n   rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805\n   execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327\n   rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391\n   kref_put include/linux/kref.h:65 [inline]\n   rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425\n   _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline]\n   ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231\n   ib_create_qp include/rdma/ib_verbs.h:3644 [inline]\n   create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920\n   ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline]\n   ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092\n   add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717\n   enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331\n   ib_register_device drivers/infiniband/core/device.c:1413 [inline]\n   ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365\n   rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147\n   rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247\n   rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503\n   rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline]\n   rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250\n   nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555\n   rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195\n   rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n   rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259\n   netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]\n   netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338\n   netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927\n   sock_sendmsg_nosec net/socket.c:654 [inline]\n   sock_sendmsg+0xcf/0x120 net/socket.c:674\n   ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350\n   ___sys_sendmsg+0xf3/0x170 net/socket.c:2404\n   __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433\n   do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47\n   entry_SYSCALL_64_after_hwframe+0\n---truncated---(CVE-2021-47078)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nasix: fix uninit-value in asix_mdio_read()\r\n\r\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\r\n\r\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497(CVE-2021-47101)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/tls: Fix use-after-free after the TLS device goes down and up\r\n\r\nWhen a netdev with active TLS offload goes down, tls_device_down is\ncalled to stop the offload and tear down the TLS context. However, the\nsocket stays alive, and it still points to the TLS context, which is now\ndeallocated. If a netdev goes up, while the connection is still active,\nand the data flow resumes after a number of TCP retransmissions, it will\nlead to a use-after-free of the TLS context.\r\n\r\nThis commit addresses this bug by keeping the context alive until its\nnormal destruction, and implements the necessary fallbacks, so that the\nconnection can resume in software (non-offloaded) kTLS mode.\r\n\r\nOn the TX side tls_sw_fallback is used to encrypt all packets. The RX\nside already has all the necessary fallbacks, because receiving\nnon-decrypted packets is supported. The thing needed on the RX side is\nto block resync requests, which are normally produced after receiving\nnon-decrypted packets.\r\n\r\nThe necessary synchronization is implemented for a graceful teardown:\nfirst the fallbacks are deployed, then the driver resources are released\n(it used to be possible to have a tls_dev_resync after tls_dev_del).\r\n\r\nA new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback\nmode. It's used to skip the RX resync logic completely, as it becomes\nuseless, and some objects may be released (for example, resync_async,\nwhich is allocated and freed by the driver).(CVE-2021-47131)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a use-after-free\r\n\r\nlooks like we forget to set ttm->sg to NULL.\nHit panic below\r\n\r\n[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 1235.989074] Call Trace:\n[ 1235.991751]  sg_free_table+0x17/0x20\n[ 1235.995667]  amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu]\n[ 1236.002288]  amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu]\n[ 1236.008464]  ttm_tt_destroy+0x1e/0x30 [ttm]\n[ 1236.013066]  ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm]\n[ 1236.018783]  ttm_bo_release+0x262/0xa50 [ttm]\n[ 1236.023547]  ttm_bo_put+0x82/0xd0 [ttm]\n[ 1236.027766]  amdgpu_bo_unref+0x26/0x50 [amdgpu]\n[ 1236.032809]  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu]\n[ 1236.040400]  kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu]\n[ 1236.046912]  kfd_ioctl+0x463/0x690 [amdgpu](CVE-2021-47142)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: remove device from smcd_dev_list after failed device_add()\r\n\r\nIf the device_add() for a smcd_dev fails, there's no cleanup step that\nrolls back the earlier list_add(). The device subsequently gets freed,\nand we end up with a corrupted list.\r\n\r\nAdd some error handling that removes the device from the list.(CVE-2021-47143)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/amdgpu: fix refcount leak\r\n\r\n[Why]\nthe gem object rfb->base.obj[0] is get according to num_planes\nin amdgpufb_create, but is not put according to num_planes\r\n\r\n[How]\nput rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes(CVE-2021-47144)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: do not BUG_ON in link_to_fixup_dir\r\n\r\nWhile doing error injection testing I got the following panic\r\n\r\n  kernel BUG at fs/btrfs/tree-log.c:1862!\n  invalid opcode: 0000 [#1] SMP NOPTI\n  CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n  RIP: 0010:link_to_fixup_dir+0xd5/0xe0\n  RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216\n  RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0\n  RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000\n  RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001\n  R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800\n  R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065\n  FS:  00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0\n  Call Trace:\n   replay_one_buffer+0x409/0x470\n   ? btree_read_extent_buffer_pages+0xd0/0x110\n   walk_up_log_tree+0x157/0x1e0\n   walk_log_tree+0xa6/0x1d0\n   btrfs_recover_log_trees+0x1da/0x360\n   ? replay_one_extent+0x7b0/0x7b0\n   open_ctree+0x1486/0x1720\n   btrfs_mount_root.cold+0x12/0xea\n   ? __kmalloc_track_caller+0x12f/0x240\n   legacy_get_tree+0x24/0x40\n   vfs_get_tree+0x22/0xb0\n   vfs_kern_mount.part.0+0x71/0xb0\n   btrfs_mount+0x10d/0x380\n   ? vfs_parse_fs_string+0x4d/0x90\n   legacy_get_tree+0x24/0x40\n   vfs_get_tree+0x22/0xb0\n   path_mount+0x433/0xa10\n   __x64_sys_mount+0xe3/0x120\n   do_syscall_64+0x3d/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nWe can get -EIO or any number of legitimate errors from\nbtrfs_search_slot(), panicing here is not the appropriate response.  The\nerror path for this code handles errors properly, simply return the\nerror.(CVE-2021-47145)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmld: fix panic in mld_newpack()\r\n\r\nmld_newpack() doesn't allow to allocate high order page,\nonly order-0 allocation is allowed.\nIf headroom size is too large, a kernel panic could occur in skb_put().\r\n\r\nTest commands:\n    ip netns del A\n    ip netns del B\n    ip netns add A\n    ip netns add B\n    ip link add veth0 type veth peer name veth1\n    ip link set veth0 netns A\n    ip link set veth1 netns B\r\n\r\n    ip netns exec A ip link set lo up\n    ip netns exec A ip link set veth0 up\n    ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0\n    ip netns exec B ip link set lo up\n    ip netns exec B ip link set veth1 up\n    ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1\n    for i in {1..99}\n    do\n        let A=$i-1\n        ip netns exec A ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100\n        ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i\n        ip netns exec A ip link set ip6gre$i up\r\n\r\n        ip netns exec B ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100\n        ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i\n        ip netns exec B ip link set ip6gre$i up\n    done\r\n\r\nSplat looks like:\nkernel BUG at net/core/skbuff.c:110!\ninvalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:skb_panic+0x15d/0x15f\nCode: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83\n41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89\n34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20\nRSP: 0018:ffff88810091f820 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000\nRDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb\nRBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031\nR10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028\nR13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0\nFS:  0000000000000000(0000) GS:ffff888117c00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n skb_put.cold.104+0x22/0x22\n ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? rcu_read_lock_sched_held+0x91/0xc0\n mld_newpack+0x398/0x8f0\n ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600\n ? lock_contended+0xc40/0xc40\n add_grhead.isra.33+0x280/0x380\n add_grec+0x5ca/0xff0\n ? mld_sendpack+0xf40/0xf40\n ? lock_downgrade+0x690/0x690\n mld_send_initial_cr.part.34+0xb9/0x180\n ipv6_mc_dad_complete+0x15d/0x1b0\n addrconf_dad_completed+0x8d2/0xbb0\n ? lock_downgrade+0x690/0x690\n ? addrconf_rs_timer+0x660/0x660\n ? addrconf_dad_work+0x73c/0x10e0\n addrconf_dad_work+0x73c/0x10e0\r\n\r\nAllowing high order page allocation could fix this problem.(CVE-2021-47146)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: i801: Don't generate an interrupt on bus reset\r\n\r\nNow that the i2c-i801 driver supports interrupts, setting the KILL bit\nin a attempt to recover from a timed out transaction triggers an\ninterrupt. Unfortunately, the interrupt handler (i801_isr) is not\nprepared for this situation and will try to process the interrupt as\nif it was signaling the end of a successful transaction. In the case\nof a block transaction, this can result in an out-of-range memory\naccess.\r\n\r\nThis condition was reproduced several times by syzbot:\nhttps://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e\nhttps://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e\nhttps://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e\nhttps://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb\nhttps://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a\nhttps://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79\r\n\r\nSo disable interrupts while trying to reset the bus. Interrupts will\nbe enabled again for the following transaction.(CVE-2021-47153)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: dsa: fix a crash if ->get_sset_count() fails\r\n\r\nIf ds->ops->get_sset_count() fails then it \"count\" is a negative error\ncode such as -EOPNOTSUPP.  Because \"i\" is an unsigned int, the negative\nerror code is type promoted to a very high value and the loop will\ncorrupt memory until the system crashes.\r\n\r\nFix this by checking for error codes and changing the type of \"i\" to\njust int.(CVE-2021-47159)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: dsa: mt7530: fix VLAN traffic leaks\r\n\r\nPCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but\nwas not reset when it is disabled, which may cause traffic leaks:\r\n\r\n\tip link add br0 type bridge vlan_filtering 1\n\tip link add br1 type bridge vlan_filtering 1\n\tip link set swp0 master br0\n\tip link set swp1 master br1\n\tip link set br0 type bridge vlan_filtering 0\n\tip link set br1 type bridge vlan_filtering 0\n\t# traffic in br0 and br1 will start leaking to each other\r\n\r\nAs port_bridge_{add,del} have set up PCR_MATRIX properly, remove the\nPCR_MATRIX write from mt7530_port_set_vlan_aware.(CVE-2021-47160)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: spi-fsl-dspi: Fix a resource leak in an error handling path\r\n\r\n'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the\nerror handling path of the probe function, as already done in the remove\nfunction(CVE-2021-47161)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: skb_linearize the head skb when reassembling msgs\r\n\r\nIt's not a good idea to append the frag skb to a skb's frag_list if\nthe frag_list already has skbs from elsewhere, such as this skb was\ncreated by pskb_copy() where the frag_list was cloned (all the skbs\nin it were skb_get'ed) and shared by multiple skbs.\r\n\r\nHowever, the new appended frag skb should have been only seen by the\ncurrent skb. Otherwise, it will cause use after free crashes as this\nappended frag skb are seen by multiple skbs but it only got skb_get\ncalled once.\r\n\r\nThe same thing happens with a skb updated by pskb_may_pull() with a\nskb_cloned skb. Li Shuang has reported quite a few crashes caused\nby this when doing testing over macvlan devices:\r\n\r\n  [] kernel BUG at net/core/skbuff.c:1970!\n  [] Call Trace:\n  []  skb_clone+0x4d/0xb0\n  []  macvlan_broadcast+0xd8/0x160 [macvlan]\n  []  macvlan_process_broadcast+0x148/0x150 [macvlan]\n  []  process_one_work+0x1a7/0x360\n  []  worker_thread+0x30/0x390\r\n\r\n  [] kernel BUG at mm/usercopy.c:102!\n  [] Call Trace:\n  []  __check_heap_object+0xd3/0x100\n  []  __check_object_size+0xff/0x16b\n  []  simple_copy_to_iter+0x1c/0x30\n  []  __skb_datagram_iter+0x7d/0x310\n  []  __skb_datagram_iter+0x2a5/0x310\n  []  skb_copy_datagram_iter+0x3b/0x90\n  []  tipc_recvmsg+0x14a/0x3a0 [tipc]\n  []  ____sys_recvmsg+0x91/0x150\n  []  ___sys_recvmsg+0x7b/0xc0\r\n\r\n  [] kernel BUG at mm/slub.c:305!\n  [] Call Trace:\n  []  <IRQ>\n  []  kmem_cache_free+0x3ff/0x400\n  []  __netif_receive_skb_core+0x12c/0xc40\n  []  ? kmem_cache_alloc+0x12e/0x270\n  []  netif_receive_skb_internal+0x3d/0xb0\n  []  ? get_rx_page_info+0x8e/0xa0 [be2net]\n  []  be_poll+0x6ef/0xd00 [be2net]\n  []  ? irq_exit+0x4f/0x100\n  []  net_rx_action+0x149/0x3b0\r\n\r\n  ...\r\n\r\nThis patch is to fix it by linearizing the head skb if it has frag_list\nset in tipc_buf_append(). Note that we choose to do this before calling\nskb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can\nnot just drop the frag_list either as the early time.(CVE-2021-47162)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: wait and exit until all work queues are done\r\n\r\nOn some host, a crash could be triggered simply by repeating these\ncommands several times:\r\n\r\n  # modprobe tipc\n  # tipc bearer enable media udp name UDP1 localip 127.0.0.1\n  # rmmod tipc\r\n\r\n  [] BUG: unable to handle kernel paging request at ffffffffc096bb00\n  [] Workqueue: events 0xffffffffc096bb00\n  [] Call Trace:\n  []  ? process_one_work+0x1a7/0x360\n  []  ? worker_thread+0x30/0x390\n  []  ? create_worker+0x1a0/0x1a0\n  []  ? kthread+0x116/0x130\n  []  ? kthread_flush_work_fn+0x10/0x10\n  []  ? ret_from_fork+0x35/0x40\r\n\r\nWhen removing the TIPC module, the UDP tunnel sock will be delayed to\nrelease in a work queue as sock_release() can't be done in rtnl_lock().\nIf the work queue is schedule to run after the TIPC module is removed,\nkernel will crash as the work queue function cleanup_beareri() code no\nlonger exists when trying to invoke it.\r\n\r\nTo fix it, this patch introduce a member wq_count in tipc_net to track\nthe numbers of work queues in schedule, and  wait and exit until all\nwork queues are done in tipc_exit_net().(CVE-2021-47163)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFS: Fix an Oopsable condition in __nfs_pageio_add_request()\r\n\r\nEnsure that nfs_pageio_error_cleanup() resets the mirror array contents,\nso that the structure reflects the fact that it is now empty.\nAlso change the test in nfs_pageio_do_add_request() to be more robust by\nchecking whether or not the list is empty rather than relying on the\nvalue of pg_count.(CVE-2021-47167)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usbfs: Don't WARN about excessively large memory allocations\r\n\r\nSyzbot found that the kernel generates a WARNing if the user tries to\nsubmit a bulk transfer through usbfs with a buffer that is way too\nlarge.  This isn't a bug in the kernel; it's merely an invalid request\nfrom the user and the usbfs code does handle it correctly.\r\n\r\nIn theory the same thing can happen with async transfers, or with the\npacket descriptor table for isochronous transfers.\r\n\r\nTo prevent the MM subsystem from complaining about these bad\nallocation requests, add the __GFP_NOWARN flag to the kmalloc calls\nfor these buffers.(CVE-2021-47170)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: fix memory leak in smsc75xx_bind\r\n\r\nSyzbot reported memory leak in smsc75xx_bind().\nThe problem was is non-freed memory in case of\nerrors after memory allocation.\r\n\r\nbacktrace:\n  [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]\n  [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]\n  [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460\n  [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728(CVE-2021-47171)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmisc/uss720: fix memory leak in uss720_probe\r\n\r\nuss720_probe forgets to decrease the refcount of usbdev in uss720_probe.\nFix this by decreasing the refcount of usbdev by usb_put_dev.\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888101113800 (size 2048):\n  comm \"kworker/0:1\", pid 7, jiffies 4294956777 (age 28.870s)\n  hex dump (first 32 bytes):\n    ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00  ....1...........\n    00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00  ................\n  backtrace:\n    [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline]\n    [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline]\n    [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582\n    [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]\n    [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]\n    [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline]\n    [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591\n    [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275\n    [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421\n    [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292\n    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294(CVE-2021-47173)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFC: nci: fix memory leak in nci_allocate_device\r\n\r\nnfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev.\nFix this by freeing hci_dev in nci_free_device.\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888111ea6800 (size 1024):\n  comm \"kworker/1:0\", pid 19, jiffies 4294942308 (age 13.580s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff  .........`......\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline]\n    [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline]\n    [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784\n    [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline]\n    [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132\n    [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153\n    [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345\n    [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n    [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554\n    [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740\n    [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846\n    [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431\n    [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914\n    [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491\n    [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109\n    [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164\n    [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n    [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n    [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554(CVE-2021-47180)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nEDAC/thunderx: Fix possible out-of-bounds string access\r\n\r\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\r\n\r\n  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);\n        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n   ...\n   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\n   ...\n   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\r\n\r\n   ...\r\n\r\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\r\n\r\nChange it to strlcat().\r\n\r\n  [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: powermate - fix use-after-free in powermate_config_complete\r\n\r\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\r\n\r\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\r\n\r\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.(CVE-2023-52500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: assert requested protocol is valid\r\n\r\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\r\n\r\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\r\n\r\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Do not call scsi_done() from srp_abort()\r\n\r\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.(CVE-2023-52515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix possible store tearing in neigh_periodic_work()\r\n\r\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\r\n\r\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\r\n\r\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().(CVE-2023-52522)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: fix potential key use-after-free\r\n\r\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().(CVE-2023-52530)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\r\n\r\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\r\n\r\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\r\n\r\n[konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: use DEV_STATS_INC()\r\n\r\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\r\n\r\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\r\n\r\nHandles updates to dev->stats.tx_dropped while we are at it.\r\n\r\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: fix deadlock or deadcode of misusing dget()\r\n\r\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\r\n\r\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.(CVE-2023-52583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/ipoib: Fix mcast list locking\r\n\r\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\r\n\r\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)\n          &priv->multicast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(&priv->lock) |\n                                       |   spin_lock_irqsave(&priv->lock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  &priv->multicast_list, list)\n                                       |     list_del(&mcast->list);\n                                       |     list_add_tail(&mcast->list, &remove_list)\n                                       |   spin_unlock_irqrestore(&priv->lock, flags)\n          spin_lock_irq(&priv->lock)   |\n                                       |   ipoib_mcast_remove_list(&remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv->multicast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it's stack.)\r\n\r\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\r\n\r\ncrash> bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (&priv->mcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           &mcast->list\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (&priv->lock)     &priv->multicast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- <NMI exception stack> ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\r\n\r\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\r\n\r\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\r\n\r\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\r\n\r\ncrash> b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---(CVE-2023-52587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\r\n\r\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\r\n\r\nFound by a modified version of syzkaller.\r\n\r\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt(CVE-2023-52594)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rt2x00: restart beacon queue when hardware reset\r\n\r\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().(CVE-2023-52595)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: fix setting of fpc register\r\n\r\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\r\n\r\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\r\n\r\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\r\n\r\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.(CVE-2023-52597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ptrace: handle setting of fpc register correctly\r\n\r\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\r\n\r\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\r\n\r\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().(CVE-2023-52598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid online resizing failures due to oversized flex bg\r\n\r\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\r\n\r\n     mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n     mount $dev $dir\n     resize2fs $dev 16G\r\n\r\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n <TASK>\n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\r\n\r\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\r\n\r\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\r\n\r\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.(CVE-2023-52622)",
+    "cves": [
+      {
+        "id": "CVE-2023-52622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1964": {
+    "id": "openEuler-SA-2023-1964",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1964",
+    "title": "An update for jettison is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nAn infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\r\n\r\n(CVE-2023-1436)",
+    "cves": [
+      {
+        "id": "CVE-2023-1436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1722": {
+    "id": "openEuler-SA-2024-1722",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1722",
+    "title": "An update for mpv is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mpv is a movie player based on MPlayer and mplayer2. It supports a wide variety of video file formats, audio and video codecs, and subtitle types. Special input URL types are available to read input from a variety of sources other than disk files. Depending on platform, a variety of different video and audio output methods are supported.\r\n\r\nSecurity Fix(es):\r\n\r\nA format string vulnerability in mpv through 0.33.0 allows user-assisted remote attackers to achieve code execution via a crafted m3u playlist file.(CVE-2021-30145)",
+    "cves": [
+      {
+        "id": "CVE-2021-30145",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30145",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1064": {
+    "id": "openEuler-SA-2021-1064",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1064",
+    "title": "An update for openvpn is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-adapted for the SME and enterprise markets.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.(CVE-2020-11810)",
+    "cves": [
+      {
+        "id": "CVE-2020-11810",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11810",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1194": {
+    "id": "openEuler-SA-2021-1194",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1194",
+    "title": "An update for babel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Babel is an integrated collection of utilities that assist in internationalizing and localizing Python applications, with an emphasis on web-based applications.\r\n\r\nSecurity Fix(es):\r\n\r\nRelative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.(CVE-2021-20095)",
+    "cves": [
+      {
+        "id": "CVE-2021-20095",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20095",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2166": {
+    "id": "openEuler-SA-2022-2166",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2166",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse,forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.(CVE-2022-32749)\r\n\r\nImproper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.(CVE-2022-37392)\r\n\r\nImproper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.(CVE-2022-40743)",
+    "cves": [
+      {
+        "id": "CVE-2022-40743",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40743",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2121": {
+    "id": "openEuler-SA-2022-2121",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2121",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in MIT krb5. This flaw allows an authenticated attacker to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash.(CVE-2022-42898)",
+    "cves": [
+      {
+        "id": "CVE-2022-42898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42898",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1498": {
+    "id": "openEuler-SA-2024-1498",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1498",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qcom-rng - ensure buffer for generate is completely filled\r\n\r\nThe generate function in struct rng_alg expects that the destination\nbuffer is completely filled if the function returns 0. qcom_rng_read()\ncan run into a situation where the buffer is partially filled with\nrandomness and the remaining part of the buffer is zeroed since\nqcom_rng_generate() doesn't check the return value. This issue can\nbe reproduced by running the following from libkcapi:\r\n\r\n    kcapi-rng -b 9000000 > OUTFILE\r\n\r\nThe generated OUTFILE will have three huge sections that contain all\nzeros, and this is caused by the code where the test\n'val & PRNG_STATUS_DATA_AVAIL' fails.\r\n\r\nLet's fix this issue by ensuring that qcom_rng_read() always returns\nwith a full buffer if the function returns success. Let's also have\nqcom_rng_generate() return the correct value.\r\n\r\nHere's some statistics from the ent project\n(https://www.fourmilab.ch/random/) that shows information about the\nquality of the generated numbers:\r\n\r\n    $ ent -c qcom-random-before\n    Value Char Occurrences Fraction\n      0           606748   0.067416\n      1            33104   0.003678\n      2            33001   0.003667\n    ...\n    253   �        32883   0.003654\n    254   �        33035   0.003671\n    255   �        33239   0.003693\r\n\r\n    Total:       9000000   1.000000\r\n\r\n    Entropy = 7.811590 bits per byte.\r\n\r\n    Optimum compression would reduce the size\n    of this 9000000 byte file by 2 percent.\r\n\r\n    Chi square distribution for 9000000 samples is 9329962.81, and\n    randomly would exceed this value less than 0.01 percent of the\n    times.\r\n\r\n    Arithmetic mean value of data bytes is 119.3731 (127.5 = random).\n    Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).\n    Serial correlation coefficient is 0.159130 (totally uncorrelated =\n    0.0).\r\n\r\nWithout this patch, the results of the chi-square test is 0.01%, and\nthe numbers are certainly not random according to ent's project page.\nThe results improve with this patch:\r\n\r\n    $ ent -c qcom-random-after\n    Value Char Occurrences Fraction\n      0            35432   0.003937\n      1            35127   0.003903\n      2            35424   0.003936\n    ...\n    253   �        35201   0.003911\n    254   �        34835   0.003871\n    255   �        35368   0.003930\r\n\r\n    Total:       9000000   1.000000\r\n\r\n    Entropy = 7.999979 bits per byte.\r\n\r\n    Optimum compression would reduce the size\n    of this 9000000 byte file by 0 percent.\r\n\r\n    Chi square distribution for 9000000 samples is 258.77, and randomly\n    would exceed this value 42.24 percent of the times.\r\n\r\n    Arithmetic mean value of data bytes is 127.5006 (127.5 = random).\n    Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).\n    Serial correlation coefficient is 0.000468 (totally uncorrelated =\n    0.0).\r\n\r\nThis change was tested on a Nexus 5 phone (msm8974 SoC).(CVE-2022-48629)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\r\n\r\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.(CVE-2023-52441)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\r\n\r\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\r\n\r\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\r\n\r\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.(CVE-2023-52486)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\r\n\r\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\r\n\r\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\r\n\r\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\r\n\r\nCPU0                  CPU1\nmtk_jpeg_dec_...    |\n  start worker\t    |\n                    |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove     |\n  v4l2_m2m_release  |\n    kfree(m2m_dev); |\n                    |\n                    | v4l2_m2m_get_curr_priv\n                    |   m2m_dev->curr_ctx //use\r\n\r\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\r\n\r\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.(CVE-2023-52491)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fix NULL pointer in channel unregistration function\r\n\r\n__dma_async_device_channel_register() can fail. In case of failure,\nchan->local is freed (with free_percpu()), and chan->local is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[    1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[    1.484499] Call trace:\n[    1.486930]  device_del+0x40/0x394\n[    1.490314]  device_unregister+0x20/0x7c\n[    1.494220]  __dma_async_device_channel_unregister+0x68/0xc0\r\n\r\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan->local is not NULL.\r\n\r\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.(CVE-2023-52492)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Drop chan lock before queuing buffers\r\n\r\nEnsure read and write locks for the channel are not taken in succession by\ndropping the read lock from parse_xfer_event() such that a callback given\nto client can potentially queue buffers and acquire the write lock in that\nprocess. Any queueing of buffers should be done without channel read lock\nacquired as it can result in multiple locks and a soft lockup.\r\n\r\n[mani: added fixes tag and cc'ed stable](CVE-2023-52493)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Add alignment check for event ring read pointer\r\n\r\nThough we do check the event ring read pointer by \"is_valid_ring_ptr\"\nto make sure it is in the buffer range, but there is another risk the\npointer may be not aligned.  Since we are expecting event ring elements\nare 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer\ncould lead to multiple issues like DoS or ring buffer memory corruption.\r\n\r\nSo add a alignment check for event ring read pointer.(CVE-2023-52494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM: sleep: Fix possible deadlocks in core system-wide PM code\r\n\r\nIt is reported that in low-memory situations the system-wide resume core\ncode deadlocks, because async_schedule_dev() executes its argument\nfunction synchronously if it cannot allocate memory (and not only in\nthat case) and that function attempts to acquire a mutex that is already\nheld.  Executing the argument function synchronously from within\ndpm_async_fn() may also be problematic for ordering reasons (it may\ncause a consumer device's resume callback to be invoked before a\nrequisite supplier device's one, for example).\r\n\r\nAddress this by changing the code in question to use\nasync_schedule_dev_nocall() for scheduling the asynchronous\nexecution of device suspend and resume functions and to directly\nrun them synchronously if async_schedule_dev_nocall() returns false.(CVE-2023-52498)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\r\n\r\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\r\n\r\n    kref_put(&sess->refcount, destroy_session);\r\n\r\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\r\n\r\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.(CVE-2023-52503)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/alternatives: Disable KASAN in apply_alternatives()\r\n\r\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\r\n\r\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\r\n\r\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\r\n\r\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\r\n\r\nFix it for real by disabling KASAN while the kernel is patching alternatives.\r\n\r\n[ mingo: updated the changelog ](CVE-2023-52504)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: llcp: Add lock when modifying device list\r\n\r\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.(CVE-2023-52524)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nteam: fix null-ptr-deref when team device type is changed\r\n\r\nGet a null-ptr-deref bug as follows with reproducer [1].\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n <TASK>\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\r\n\r\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\r\n\r\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\r\n\r\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.(CVE-2023-52574)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2023-52607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\r\n\r\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\r\n\r\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\r\n\r\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\r\n\r\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\r\n\r\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\r\n\r\nAdd a consistency check to validate such condition in the A2P ISR.(CVE-2023-52608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\r\n\r\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\r\n\r\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\r\n\r\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\r\n\r\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com(CVE-2023-52617)\r\n\r\nA null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.(CVE-2023-7042)\r\n\r\nA race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix global oob in ksmbd_nl_policy\r\n\r\nSimilar to a reported issue (check the commit b33fb5b801c6 (\"net:\nqualcomm: rmnet: fix global oob in rmnet_policy\"), my local fuzzer finds\nanother global out-of-bounds read for policy ksmbd_nl_policy. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810\r\n\r\nCPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n __nlmsg_parse include/net/netlink.h:748 [inline]\n genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565\n genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdd66a8f359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003\nRBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n ksmbd_nl_policy+0x100/0xa80\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9\n                   ^\n ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05\n ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9\n==================================================================\r\n\r\nTo fix it, add a placeholder named __KSMBD_EVENT_MAX and let\nKSMBD_EVENT_MAX to be its original value - 1 according to what other\nnetlink families do. Also change two sites that refer the\nKSMBD_EVENT_MAX to correct value.(CVE-2024-26608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\r\n\r\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\r\n\r\n- run nginx/wrk test:\n  smc_run nginx\n  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>\r\n\r\n- continuously dump SMC-D connections in parallel:\n  watch -n 1 'smcss -D'\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE      6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n  <TASK>\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x66/0x150\n  ? exc_page_fault+0x69/0x140\n  ? asm_exc_page_fault+0x26/0x30\n  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n  ? __kmalloc_node_track_caller+0x35d/0x430\n  ? __alloc_skb+0x77/0x170\n  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n  smc_diag_dump+0x26/0x60 [smc_diag]\n  netlink_dump+0x19f/0x320\n  __netlink_dump_start+0x1dc/0x300\n  smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n  sock_diag_rcv_msg+0x121/0x140\n  ? __pfx_sock_diag_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x5a/0x110\n  sock_diag_rcv+0x28/0x40\n  netlink_unicast+0x22a/0x330\n  netlink_sendmsg+0x1f8/0x420\n  __sock_sendmsg+0xb0/0xc0\n  ____sys_sendmsg+0x24e/0x300\n  ? copy_msghdr_from_user+0x62/0x80\n  ___sys_sendmsg+0x7c/0xd0\n  ? __do_fault+0x34/0x160\n  ? do_read_fault+0x5f/0x100\n  ? do_fault+0xb0/0x110\n  ? __handle_mm_fault+0x2b0/0x6c0\n  __sys_sendmsg+0x4d/0x80\n  do_syscall_64+0x69/0x180\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.(CVE-2024-26615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\r\n\r\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\r\n\r\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\r\n\r\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard->channel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard->channel-> //USE\r\n\r\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.(CVE-2024-26654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: fix use-after-free bug\r\n\r\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.\nFor example the following code:\r\n\r\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\r\n\r\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\r\n\r\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into  amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\r\n\r\n[  +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[  +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[  +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[  +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[  +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[  +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[  +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[  +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[  +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[  +0.000011] FS:  00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[  +0.000012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[  +0.000010] Call Trace:\n[  +0.000006]  <TASK>\n[  +0.000007]  ? show_regs+0x6a/0x80\n[  +0.000018]  ? __warn+0xa5/0x1b0\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000018]  ? report_bug+0x24a/0x290\n[  +0.000022]  ? handle_bug+0x46/0x90\n[  +0.000015]  ? exc_invalid_op+0x19/0x50\n[  +0.000016]  ? asm_exc_invalid_op+0x1b/0x20\n[  +0.000017]  ? kasan_save_stack+0x26/0x50\n[  +0.000017]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000020]  ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[  +0.000017]  ? kasan_save_alloc_info+0x1e/0x30\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __kasan_kmalloc+0xb1/0xc0\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? __kasan_check_read+0x11/0x20\n[  +0.000020]  amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[  +0.004695]  amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[  +0.004534]  ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[  +0.004291]  ? do_syscall_64+0x5f/0xe0\n[  +0.000023]  ? srso_return_thunk+0x5/0x5f\n[  +0.000017]  drm_gem_object_free+0x3b/0x50 [drm]\n[  +0.000489]  amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[  +0.004295]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004270]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __this_cpu_preempt_check+0x13/0x20\n[  +0.000015]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? sysvec_apic_timer_interrupt+0x57/0xc0\n[  +0.000020]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[  +0.000022]  ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[  +0.000496]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004272]  ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[  +0.000492]  drm_ioctl_kernel+0x140/0x1f0 [drm]\n[  +0.000497]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004297]  ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---(CVE-2024-26656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\r\n\r\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\r\n\r\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio.  Thus causing a deadlock.\r\n\r\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty.  Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed.  Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\r\n\r\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\r\n\r\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.(CVE-2024-26696)",
+    "cves": [
+      {
+        "id": "CVE-2024-26696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1023": {
+    "id": "openEuler-SA-2021-1023",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1023",
+    "title": "An update for hunspell is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Hunspell is a free spell checker and morphological analyzer library and command-line tool, licensed under LGPL/GPL/MPL tri-license.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nHunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.(CVE-2019-16707)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-16707",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16707",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1361": {
+    "id": "openEuler-SA-2024-1361",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1361",
+    "title": "An update for telnet is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. The package includes a remote login client program for telnet and a server daemon.\r\n\r\nSecurity Fix(es):\r\n\r\ntelnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028)",
+    "cves": [
+      {
+        "id": "CVE-2022-39028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1343": {
+    "id": "openEuler-SA-2023-1343",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1343",
+    "title": "An update for libcap is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.(CVE-2023-2603)",
+    "cves": [
+      {
+        "id": "CVE-2023-2603",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1143": {
+    "id": "openEuler-SA-2023-1143",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1143",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Linux kernel does not correctly mitigate SMT attacks, as discovered\nthrough a strange pattern in the kernel API using STIBP as a mitigation[1\n<https://docs.kernel.org/userspace-api/spec_ctrl.html>], leaving the\nprocess exposed for a short period of time after a syscall. The kernel also\ndoes not issue an IBPB immediately during the syscall.\nThe ib_prctl_set [2\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/cpu/bugs.c#L1467>]function\nupdates the Thread Information Flags (TIFs) for the task and updates the\nSPEC_CTRL MSR on the function __speculation_ctrl_update [3\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/process.c#L557>],\nbut the IBPB is only issued on the next schedule, when the TIF bits are\nchecked. This leaves the victim vulnerable to values already injected on\nthe BTB, prior to the prctl syscall.\nThe behavior is only corrected after a reschedule of the task happens.\nFurthermore, the kernel entrance (due to the syscall itself), does not\nissue an IBPB in the default scenarios (i.e., when the kernel protects\nitself via retpoline or eIBRS).(CVE-2023-0045)\r\n\r\nREMAP cmd of SVM driver can be used to remap read only memory as read-write, then cause read only memory/file modified..(CVE-2021-33639)",
+    "cves": [
+      {
+        "id": "CVE-2021-33639",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33639",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1276": {
+    "id": "openEuler-SA-2024-1276",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1276",
+    "title": "An update for python-aiosmtpd is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\r\n\r\nSecurity Fix(es):\r\n\r\naiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-27305)",
+    "cves": [
+      {
+        "id": "CVE-2024-27305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27305",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1124": {
+    "id": "openEuler-SA-2023-1124",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1124",
+    "title": "An update for curl is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file gets overwritten by the most recently completed transfer. This issue may result in limited confidentiality and integrity.(CVE-2023-23915)\r\n\r\nA flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried. This issue may result in limited confidentiality and integrity.(CVE-2023-23914)\r\n\r\ncurl supports \"chained\" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a \"malloc bomb\", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.(CVE-2023-23916)",
+    "cves": [
+      {
+        "id": "CVE-2023-23916",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23916",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1513": {
+    "id": "openEuler-SA-2023-1513",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1513",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.(CVE-2023-3772)\n\nA use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.(CVE-2023-3863)\n\nA use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4133)\n\nA use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2023-4147)",
+    "cves": [
+      {
+        "id": "CVE-2023-4147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1852": {
+    "id": "openEuler-SA-2024-1852",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1852",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\r\n\r\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\r\n\r\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\r\n\r\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
+    "cves": [
+      {
+        "id": "CVE-2024-38477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1030": {
+    "id": "openEuler-SA-2021-1030",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1030",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nIn Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero.(CVE-2019-16319)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-16319",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16319",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1479": {
+    "id": "openEuler-SA-2021-1479",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1479",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Binary utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nstab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.(CVE-2021-45078)",
+    "cves": [
+      {
+        "id": "CVE-2021-45078",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45078",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1295": {
+    "id": "openEuler-SA-2021-1295",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1295",
+    "title": "An update for kf5-kconfig is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "KDE Frameworks 5 Tier 1 addon with advanced configuration system made of two parts: KConfigCore and KConfigGui.\r\n\r\nSecurity Fix(es):\r\n\r\nIn KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.(CVE-2019-14744)",
+    "cves": [
+      {
+        "id": "CVE-2019-14744",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14744",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1710": {
+    "id": "openEuler-SA-2022-1710",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1710",
+    "title": "An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PyJWT is a Python library which allows you to encode and decode JSON Web Tokens (JWT). \\ JWT is an open, industry-standard (RFC 7519) for representing claims securely between two parties.\r\n\r\nSecurity Fix(es):\r\n\r\nPyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.(CVE-2022-29217)",
+    "cves": [
+      {
+        "id": "CVE-2022-29217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29217",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1144": {
+    "id": "openEuler-SA-2023-1144",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1144",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation. In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.(CVE-2023-0240)\r\n\r\nA memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.(CVE-2023-0615)\r\n\r\nThe Linux kernel does not correctly mitigate SMT attacks, as discovered\nthrough a strange pattern in the kernel API using STIBP as a mitigation[1\n<https://docs.kernel.org/userspace-api/spec_ctrl.html>], leaving the\nprocess exposed for a short period of time after a syscall. The kernel also\ndoes not issue an IBPB immediately during the syscall.\nThe ib_prctl_set [2\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/cpu/bugs.c#L1467>]function\nupdates the Thread Information Flags (TIFs) for the task and updates the\nSPEC_CTRL MSR on the function __speculation_ctrl_update [3\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/process.c#L557>],\nbut the IBPB is only issued on the next schedule, when the TIF bits are\nchecked. This leaves the victim vulnerable to values already injected on\nthe BTB, prior to the prctl syscall.\nThe behavior is only corrected after a reschedule of the task happens.\nFurthermore, the kernel entrance (due to the syscall itself), does not\nissue an IBPB in the default scenarios (i.e., when the kernel protects\nitself via retpoline or eIBRS).(CVE-2023-0045)\r\n\r\nREMAP cmd of SVM driver can be used to remap read only memory as read-write, then cause read only memory/file modified..(CVE-2021-33639)",
+    "cves": [
+      {
+        "id": "CVE-2021-33639",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33639",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1649": {
+    "id": "openEuler-SA-2023-1649",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1649",
+    "title": "An update for mdadm is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "mdadm is a tool for managing Linux Software RAID arrays. It can create, assemble, report on, and monitor arrays. It can also move spares between raid arrays when needed.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer overflow in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-28736)\r\n\r\nUncontrolled resource consumption in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a priviledged user to potentially enable denial of service via local access.(CVE-2023-28938)",
+    "cves": [
+      {
+        "id": "CVE-2023-28938",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28938",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1277": {
+    "id": "openEuler-SA-2024-1277",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1277",
+    "title": "An update for gala-gopher is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "gala-gopher is a low-overhead eBPF-based probes framework\r\n\r\nSecurity Fix(es):\r\n\r\ngala-gopher 1.0.2组件中存在命令注入攻击漏洞(CVE-2024-24890)",
+    "cves": [
+      {
+        "id": "CVE-2024-24890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1458": {
+    "id": "openEuler-SA-2021-1458",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1458",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "EFI Development Kit II.\r\n\r\nSecurity Fix(es):\r\n\r\nBootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.(CVE-2021-28216)",
+    "cves": [
+      {
+        "id": "CVE-2021-28216",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28216",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1969": {
+    "id": "openEuler-SA-2022-1969",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1969",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-21233)",
+    "cves": [
+      {
+        "id": "CVE-2022-21233",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21233",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1039": {
+    "id": "openEuler-SA-2024-1039",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1039",
+    "title": "An update for jersey is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Jersey is the open source JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. %if\r\n\r\nSecurity Fix(es):\r\n\r\nEclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.(CVE-2021-28168)",
+    "cves": [
+      {
+        "id": "CVE-2021-28168",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1270": {
+    "id": "openEuler-SA-2023-1270",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1270",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.(CVE-2023-24607)",
+    "cves": [
+      {
+        "id": "CVE-2023-24607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1219": {
+    "id": "openEuler-SA-2024-1219",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1219",
+    "title": "An update for less is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Less is a pager. A pager is a program that displays text files. Other pagers commonly in use are more and pg. Pagers are often used in command-line environments like the Unix shell and the MS-DOS command prompt to display files.\r\n\r\nSecurity Fix(es):\r\n\r\nclose_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.(CVE-2022-48624)",
+    "cves": [
+      {
+        "id": "CVE-2022-48624",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48624",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1182": {
+    "id": "openEuler-SA-2021-1182",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1182",
+    "title": "An update for apache-commons-io is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Apache commons IO library is used for developing IO functionality. It contains a collecton of utilities with utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like //../foo , or .. foo , the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus limited path traversal), if the calling code would use the result to construct a path value.(CVE-2021-29425)",
+    "cves": [
+      {
+        "id": "CVE-2021-29425",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1247": {
+    "id": "openEuler-SA-2021-1247",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1247",
+    "title": "An update for zziplib is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The zziplib is a lightweight library to easily extract data from zip files. Applications can bundle files into a single zip archive and access them. The implementation is based only on the (free) subset of compression with the zlib algorithm which is actually used by the zip/unzip tools.\r\n\r\nSecurity Fix(es):\r\n\r\nInfinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value \"zzip_file_read\" in the function \"unzzip_cat_file\".(CVE-2020-18442)",
+    "cves": [
+      {
+        "id": "CVE-2020-18442",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18442",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1179": {
+    "id": "openEuler-SA-2024-1179",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1179",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nTransmit requests in Xen's virtual network protocol can consist of\nmultiple parts.  While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all.  Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments.  Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n(CVE-2023-46838)\r\n\r\nA flaw in the routing table size was found in the ICMPv6 handling of \"Packet Too Big\". The size of the routing table is regulated by periodic garbage collection. However, with \"Packet Too Big Messages\" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-52340)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\r\n\r\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\r\n\r\n(CVE-2024-1086)",
+    "cves": [
+      {
+        "id": "CVE-2024-1086",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1074": {
+    "id": "openEuler-SA-2021-1074",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1074",
+    "title": "An update for sane-backends is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners and other image acquisition devices like digital still and video cameras.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to execute arbitrary code, aka GHSL-2020-084.(CVE-2020-12865)\r\n\r\nAn out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082.(CVE-2020-12862)",
+    "cves": [
+      {
+        "id": "CVE-2020-12862",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12862",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1071": {
+    "id": "openEuler-SA-2023-1071",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1071",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.(CVE-2023-0179)\r\n\r\natm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23455)\r\n\r\ncbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23454)",
+    "cves": [
+      {
+        "id": "CVE-2023-23454",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23454",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1186": {
+    "id": "openEuler-SA-2023-1186",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1186",
+    "title": "An update for libfastjson is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "libfastjson is a fork from json-c, and is currently under development. The aim of this is not to provide a slightly modified clone of json-c. It's aim is to provide: a small library with essential json handling functions, sufficiently good json support (not 100% standards compliant), be very fast in processing.\r\n\r\nSecurity Fix(es):\r\n\r\njson-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.(CVE-2020-12762)",
+    "cves": [
+      {
+        "id": "CVE-2020-12762",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1155": {
+    "id": "openEuler-SA-2021-1155",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1155",
+    "title": "An update for cairo is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35492)",
+    "cves": [
+      {
+        "id": "CVE-2020-35492",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35492",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2136": {
+    "id": "openEuler-SA-2022-2136",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2136",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\t\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.(CVE-2022-4144)",
+    "cves": [
+      {
+        "id": "CVE-2022-4144",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4144",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1576": {
+    "id": "openEuler-SA-2024-1576",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1576",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\r\n\r\n(CVE-2024-3177)",
+    "cves": [
+      {
+        "id": "CVE-2024-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1634": {
+    "id": "openEuler-SA-2023-1634",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1634",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32247)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nWhen nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.\r\n\r\nWe recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.\r\n\r\n(CVE-2023-3777)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nOn an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.\r\n\r\nWe recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.\r\n\r\n(CVE-2023-4015)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\r\n\r\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\r\n\r\n(CVE-2023-4206)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\r\n\r\n(CVE-2023-4207)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\r\n\r\n(CVE-2023-4208)\r\n\r\nA use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\r\n\r\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\r\n\r\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\r\n\r\n(CVE-2023-4622)",
+    "cves": [
+      {
+        "id": "CVE-2023-4622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1360": {
+    "id": "openEuler-SA-2023-1360",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1360",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\n\nSecurity Fix(es):\n\nc-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n(CVE-2023-31130)",
+    "cves": [
+      {
+        "id": "CVE-2023-31130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1255": {
+    "id": "openEuler-SA-2021-1255",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1255",
+    "title": "An update for djvulibre is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "DjVu is a set of compression technologies, a file format, and a software platform for the deliveryover the Web of digital documents, scanned documents, and high resolution images.DjVu documents download and display extremely quickly, and look exactly the same on all platforms with no compatibility problems due to fonts, colors, etc. DjVu can be seen as a superior alternative to PDF and PostScript for digital documents, to TIFF (and PDF) for scanned bitonal documents, to JPEG and JPEG2000 for photographs and pictures, and to GIF for large palettized images. DjVu is the only Web format that is practical for distributing high-resolution scanned documents in color.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.(CVE-2021-3500)\r\n\r\nA flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.(CVE-2021-32493)\n\nA flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.(CVE-2021-32490)\n\nA flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.(CVE-2021-32491)\n\nA flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.(CVE-2021-32492)",
+    "cves": [
+      {
+        "id": "CVE-2021-32492",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32492",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1928": {
+    "id": "openEuler-SA-2023-1928",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1928",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \\p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.(CVE-2023-47100)",
+    "cves": [
+      {
+        "id": "CVE-2023-47100",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1855": {
+    "id": "openEuler-SA-2023-1855",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1855",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nSequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access.(CVE-2023-23583)",
+    "cves": [
+      {
+        "id": "CVE-2023-23583",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23583",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1134": {
+    "id": "openEuler-SA-2024-1134",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1134",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)",
+    "cves": [
+      {
+        "id": "CVE-2023-0465",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1625": {
+    "id": "openEuler-SA-2024-1625",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1625",
+    "title": "An update for docker is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface  will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file.(CVE-2024-32473)",
+    "cves": [
+      {
+        "id": "CVE-2024-32473",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32473",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1470": {
+    "id": "openEuler-SA-2023-1470",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1470",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21255)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\r\n\r\n(CVE-2023-3609)\r\n\r\nAn out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\r\n\r\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\r\n\r\n(CVE-2023-3611)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\r\n\r\n(CVE-2023-3776)\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2023-3812)",
+    "cves": [
+      {
+        "id": "CVE-2023-3812",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3812",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1265": {
+    "id": "openEuler-SA-2024-1265",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1265",
+    "title": "An update for glusterfs is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over TCP/IP interconnect into one large parallel network filesystem. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility. It borrows a powerful concept called Translators from GNU Hurd kernel. Much of the code in GlusterFS is in user space and easily manageable.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.(CVE-2022-48340)",
+    "cves": [
+      {
+        "id": "CVE-2022-48340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1287": {
+    "id": "openEuler-SA-2023-1287",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1287",
+    "title": "An update for perl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of  development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nCPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.(CVE-2023-31484)",
+    "cves": [
+      {
+        "id": "CVE-2023-31484",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1301": {
+    "id": "openEuler-SA-2021-1301",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1301",
+    "title": "An update for bouncycastle is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.\r\n\r\nSecurity Fix(es):\r\n\r\nBouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.(CVE-2020-15522)",
+    "cves": [
+      {
+        "id": "CVE-2020-15522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1868": {
+    "id": "openEuler-SA-2024-1868",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1868",
+    "title": "An update for python-pip is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        20.2.2 Release:        4 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:        https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch3:         remove-existing-dist-only-if-path-conflicts.patch Patch6000:      dummy-certifi.patch Patch6001:      backport-CVE-2021-3572.patch\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\r\n\r\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
+    "cves": [
+      {
+        "id": "CVE-2024-37891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1473": {
+    "id": "openEuler-SA-2021-1473",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1473",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": " Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nA crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).(CVE-2021-44224)\r\n\r\nA carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.(CVE-2021-44790)",
+    "cves": [
+      {
+        "id": "CVE-2021-44790",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44790",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1963": {
+    "id": "openEuler-SA-2022-1963",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1963",
+    "title": "An update for htslib is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "HTSlib is an implementation of a unified C library for accessing common file  formats, such as SAM, CRAM and VCF, used for high-throughput sequencing data,  and is the core library used by samtools and bcftools. HTSlib only depends on  zlib. It is known to be compatible with gcc, g++ and clang. HTSlib implements a generalized BAM index, with file extension .csi ( coordinate-sorted index). The HTSlib file reader first looks for the new index and then for the old if the new index is absent.\r\n\r\nSecurity Fix(es):\r\n\r\nHTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).(CVE-2020-36403)",
+    "cves": [
+      {
+        "id": "CVE-2020-36403",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36403",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1869": {
+    "id": "openEuler-SA-2024-1869",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1869",
+    "title": "An update for python-pip is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        20.2.2 Release:        4 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:        https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch3:         remove-existing-dist-only-if-path-conflicts.patch Patch6000:      dummy-certifi.patch Patch6001:      backport-CVE-2021-3572.patch\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\r\n\r\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
+    "cves": [
+      {
+        "id": "CVE-2024-37891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1539": {
+    "id": "openEuler-SA-2024-1539",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1539",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 6 through 6.6 was discovered to contain a NULL pointer dereference via the function QXcbConnection::initializeAllAtoms(). NOTE: this is disputed because it is not expected that an X application should continue to run when there is arbitrary anomalous behavior from the X server.(CVE-2023-45935)",
+    "cves": [
+      {
+        "id": "CVE-2023-45935",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45935",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1838": {
+    "id": "openEuler-SA-2023-1838",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1838",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as critical has been found in rhboot shim up to 15.7 on ARM. This affects the function mirror_one_esl of the file mok.c of the component mok. Applying the patch 66e6579dbf921152f647a0c16da1d3b2f40861ca is able to eliminate this problem. The bugfix is ready for download at github.com.(CVE-2023-40546)",
+    "cves": [
+      {
+        "id": "CVE-2023-40546",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40546",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1813": {
+    "id": "openEuler-SA-2022-1813",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1813",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). (CVE-2021-35588)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35603)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35556)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35578)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35559)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35561)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2021-35564)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35586)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).(CVE-2021-35567)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2022-21476)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35565)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2021-35550)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21291)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21248)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21340)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21360)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21294)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21293)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21296)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21299)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21305)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21282)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21365)\r\n\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21341)",
+    "cves": [
+      {
+        "id": "CVE-2022-21341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21341",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1302": {
+    "id": "openEuler-SA-2021-1302",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1302",
+    "title": "An update for apache-commons-compress is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Apache Commons Compress library defines an API for working with ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200 and bzip2 files.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.(CVE-2021-35517)\r\n\r\nWhen reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.(CVE-2021-35516)\r\n\r\nWhen reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.(CVE-2021-35515)\r\n\r\nWhen reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.(CVE-2021-36090)",
+    "cves": [
+      {
+        "id": "CVE-2021-36090",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36090",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1442": {
+    "id": "openEuler-SA-2021-1442",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1442",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.(CVE-2021-43975)",
+    "cves": [
+      {
+        "id": "CVE-2021-43975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43975",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1456": {
+    "id": "openEuler-SA-2021-1456",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1456",
+    "title": "An update for mailman is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU mailing list manager.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.(CVE-2021-44227)",
+    "cves": [
+      {
+        "id": "CVE-2021-44227",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44227",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1517": {
+    "id": "openEuler-SA-2022-1517",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1517",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755(CVE-2021-22600)\r\n\r\nA use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem.(CVE-2022-22942)",
+    "cves": [
+      {
+        "id": "CVE-2022-22942",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22942",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1981": {
+    "id": "openEuler-SA-2023-1981",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1981",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.(CVE-2021-41136)",
+    "cves": [
+      {
+        "id": "CVE-2021-41136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1390": {
+    "id": "openEuler-SA-2024-1390",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1390",
+    "title": "An update for emacs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Emacs is the extensible, customizable, self-documenting real-time display editor. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing. And it is an entire ecosystem of functionality beyond text editing, including a project planner, mail and news reader, debugger interface, calendar, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments.(CVE-2024-30204)\r\n\r\nIn Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.(CVE-2024-30205)",
+    "cves": [
+      {
+        "id": "CVE-2024-30205",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30205",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1074": {
+    "id": "openEuler-SA-2023-1074",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1074",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\natm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23455)\r\n\r\ncbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).(CVE-2023-23454)\n\nA NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.(CVE-2023-0394)",
+    "cves": [
+      {
+        "id": "CVE-2023-0394",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0394",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1637": {
+    "id": "openEuler-SA-2024-1637",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1637",
+    "title": "An update for tpm2-tss is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system APIs which provides TPM2.0 specified APIs for applications to access TPM module through kernel TPM drivers.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the tpm2-tss package, where it was not checked to see if the magic number in the attest is equal to the TPM2_GENERATED_VALUE. This flaw allows an attacker to generate arbitrary quote data, which may not be detected by Fapi_VerifyQuote.(CVE-2024-29040)",
+    "cves": [
+      {
+        "id": "CVE-2024-29040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29040",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1342": {
+    "id": "openEuler-SA-2023-1342",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1342",
+    "title": "An update for libcap is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.(CVE-2023-2602)\r\n\r\nA vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.(CVE-2023-2603)",
+    "cves": [
+      {
+        "id": "CVE-2023-2603",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1418": {
+    "id": "openEuler-SA-2021-1418",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1418",
+    "title": "An update for ibus is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Intelligent Input Bus for Linux OS\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was discovered in ibus that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.(CVE-2019-14822)",
+    "cves": [
+      {
+        "id": "CVE-2019-14822",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14822",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1327": {
+    "id": "openEuler-SA-2023-1327",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1327",
+    "title": "An update for hdf5 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka \"Invalid write of size 2.\"(CVE-2019-8396)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in the function H5F__accum_read in H5Faccum.c.(CVE-2018-13867)\r\n\r\nBuffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.(CVE-2021-37501)",
+    "cves": [
+      {
+        "id": "CVE-2021-37501",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37501",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1670": {
+    "id": "openEuler-SA-2023-1670",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1670",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.(CVE-2022-45887)\r\n\r\n\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n(CVE-2023-20588)\r\n\r\nIn multiple functions  of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21400)\r\n\r\nVUL-0: CVE-2023-32249: kernel: Linux Kernel ksmbd Multichannel Improper Authentication Session Hijack Vulnerability(CVE-2023-32249)\r\n\r\nVUL-0: CVE-2023-32251: kernel: Linux Kernel ksmbd Improper Restriction of Excessive Authentication Attempts Protection Bypass Vulnerability(CVE-2023-32251)\r\n\r\nVUL-0: CVE-2023-32253: kernel: Linux Kernel ksmbd Session Deadlock Denial-of-Service Vulnerability(CVE-2023-32253)\r\n\r\n** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team.(CVE-2023-4881)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\r\n\r\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\r\n\r\n(CVE-2023-4921)",
+    "cves": [
+      {
+        "id": "CVE-2023-32251",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32251",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-4921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1336": {
+    "id": "openEuler-SA-2023-1336",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1336",
+    "title": "An update for cpio is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "GNU cpio copies files into or out of a cpio or tar archive.The archive can be another file on the disk, a magnetic tape, or a pipe.\r\n\r\nSecurity Fix(es):\r\n\r\ncpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.(CVE-2015-1197)",
+    "cves": [
+      {
+        "id": "CVE-2015-1197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1197",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1349": {
+    "id": "openEuler-SA-2024-1349",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1349",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_ct: fix wild memory access when clearing fragments\r\n\r\nwhile testing re-assembly/re-fragmentation using act_ct, it's possible to\nobserve a crash like the following one:\r\n\r\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S                5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS:  0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <IRQ>\n  inet_frag_destroy+0xa9/0x150\n  call_timer_fn+0x2d/0x180\n  run_timer_softirq+0x4fe/0xe70\n  __do_softirq+0x197/0x5a0\n  irq_exit_rcu+0x1de/0x200\n  sysvec_apic_timer_interrupt+0x6b/0x80\n  </IRQ>\r\n\r\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.(CVE-2021-47014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudp: skip L4 aggregation for UDP tunnel packets\r\n\r\nIf NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there\nare UDP tunnels available in the system, udp_gro_receive() could end-up\ndoing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at\nthe outer UDP tunnel level for packets effectively carrying and UDP\ntunnel header.\r\n\r\nThat could cause inner protocol corruption. If e.g. the relevant\npackets carry a vxlan header, different vxlan ids will be ignored/\naggregated to the same GSO packet. Inner headers will be ignored, too,\nso that e.g. TCP over vxlan push packets will be held in the GRO\nengine till the next flush, etc.\r\n\r\nJust skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the\ncurrent packet could land in a UDP tunnel, and let udp_gro_receive()\ndo GRO via udp_sk(sk)->gro_receive.\r\n\r\nThe check implemented in this patch is broader than what is strictly\nneeded, as the existing UDP tunnel could be e.g. configured on top of\na different device: we could end-up skipping GRO at-all for some packets.\r\n\r\nAnyhow, that is a very thin corner case and covering it will add quite\na bit of complexity.\r\n\r\nv1 -> v2:\n - hopefully clarify the commit message(CVE-2021-47036)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix use after free on context disconnection\r\n\r\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.(CVE-2023-52445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: add check that partition length needs to be aligned with block size\r\n\r\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.(CVE-2023-52458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\r\n\r\nsyzbot reported the following uninit-value access issue:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\r\n\r\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\r\n\r\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\r\n\r\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.(CVE-2023-52528)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\r\n\r\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.(CVE-2023-52593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix slab-out-of-bounds Read in dtSearch\r\n\r\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\r\n\r\nDave:\nSet return code to -EIO(CVE-2023-52602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUBSAN: array-index-out-of-bounds in dtSplitRoot\r\n\r\nSyzkaller reported the following issue:\r\n\r\noop0: detected capacity change from 0 to 32768\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n </TASK>\r\n\r\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\r\n\r\nSyzkaller reported the following issue:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\nKernel Offset: disabled\nRebooting in 86400 seconds..\r\n\r\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\r\n\r\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52604)",
+    "cves": [
+      {
+        "id": "CVE-2023-52604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1824": {
+    "id": "openEuler-SA-2023-1824",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1824",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534)",
+    "cves": [
+      {
+        "id": "CVE-2023-24534",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1862": {
+    "id": "openEuler-SA-2023-1862",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1862",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.(CVE-2023-39197)",
+    "cves": [
+      {
+        "id": "CVE-2023-39197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39197",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1610": {
+    "id": "openEuler-SA-2022-1610",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1610",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nExcessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file(CVE-2021-22207)\r\n\r\nImproper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file.(CVE-2021-22191)\r\n\r\nCrash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file(CVE-2021-4181)\r\n\r\nInfinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file(CVE-2021-4185)",
+    "cves": [
+      {
+        "id": "CVE-2021-4185",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4185",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1059": {
+    "id": "openEuler-SA-2023-1059",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1059",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.(CVE-2022-41953)",
+    "cves": [
+      {
+        "id": "CVE-2022-41953",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41953",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1304": {
+    "id": "openEuler-SA-2024-1304",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1304",
+    "title": "An update for perl-Net-CIDR-Lite is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.(CVE-2021-47154)",
+    "cves": [
+      {
+        "id": "CVE-2021-47154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47154",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1839": {
+    "id": "openEuler-SA-2022-1839",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1839",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nProduct: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel.(CVE-2022-20368)",
+    "cves": [
+      {
+        "id": "CVE-2022-20368",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20368",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1415": {
+    "id": "openEuler-SA-2024-1415",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1415",
+    "title": "An update for varnish is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nVarnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.(CVE-2024-30156)",
+    "cves": [
+      {
+        "id": "CVE-2024-30156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1352": {
+    "id": "openEuler-SA-2023-1352",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1352",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel image for RaspberryPi.\n\nSecurity Fix(es):\n\nA use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.(CVE-2023-2985)",
+    "cves": [
+      {
+        "id": "CVE-2023-2985",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1730": {
+    "id": "openEuler-SA-2023-1730",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1730",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-42753)",
+    "cves": [
+      {
+        "id": "CVE-2023-42753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1891": {
+    "id": "openEuler-SA-2023-1891",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1891",
+    "title": "An update for gimp is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "GIMP is a cross-platform image editor available for GNU/Linux, OS X, Windows and more operating systems. It is free software, you can change its source code and distribute your changes. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.\r\n\r\nSecurity Fix(es):\r\n\r\nA parsing vulnerability was found in the GNU Image Manipulation Program (GIMP). This flaw allows an unauthenticated, remote attacker to trick a GIMP user into opening a malicious PSD file, possibly enabling the execution of unauthorized code within the GIMP process.(CVE-2023-44442)\r\n\r\nA parsing vulnerability was found in the GNU Image Manipulation Program (GIMP). This flaw allows an unauthenticated, remote attacker to trick a GIMP user into opening a malicious PSP file, possibly enabling the execution of unauthorized code within the GIMP process.(CVE-2023-44444)",
+    "cves": [
+      {
+        "id": "CVE-2023-44444",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44444",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1029": {
+    "id": "openEuler-SA-2023-1029",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1029",
+    "title": "An update for SDL2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak issue was discovered in SDL2 version >= SDL2-2.0.8\r\n\r\nSee the link below for details:\nhttps://github.com/libsdl-org/SDL/pull/6269\nhttps://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b(CVE-2022-4743)",
+    "cves": [
+      {
+        "id": "CVE-2022-4743",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4743",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1266": {
+    "id": "openEuler-SA-2021-1266",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1266",
+    "title": "An update for djvulibre is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "DjVu is a set of compression technologies, a file format, and a software platform for the deliveryover the Web of digital documents, scanned documents, and high resolution images.DjVu documents download and display extremely quickly, and look exactly the same on all platforms with no compatibility problems due to fonts, colors, etc. DjVu can be seen as a superior alternative to PDF and PostScript for digital documents, to TIFF (and PDF) for scanned bitonal documents, to JPEG and JPEG2000 for photographs and pictures, and to GIF for large palettized images. DjVu is the only Web format that is practical for distributing high-resolution scanned documents in color.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds write vulnerability was found in DjVuLibre in DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may lead to crash and segmentation fault. This flaw affects DjVuLibre versions prior to 3.5.28.(CVE-2021-3630)",
+    "cves": [
+      {
+        "id": "CVE-2021-3630",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3630",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1094": {
+    "id": "openEuler-SA-2021-1094",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1094",
+    "title": "An update for zstd is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Zstd is a fast lossless compression algorithm. It's backed by a very fast entropy stage, provided by Huff0 and FSE library. It's a real-time compression scenario for zlib levels and has a better compression ratio.\r\n\r\nSecurity Fix(es):\r\n\r\nBeginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.(CVE-2021-24032)",
+    "cves": [
+      {
+        "id": "CVE-2021-24032",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24032",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1173": {
+    "id": "openEuler-SA-2024-1173",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1173",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1230": {
+    "id": "openEuler-SA-2024-1230",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1230",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.(CVE-2023-45662)\r\n\r\nstb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.(CVE-2023-45663)",
+    "cves": [
+      {
+        "id": "CVE-2023-45663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45663",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1574": {
+    "id": "openEuler-SA-2024-1574",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1574",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nCertain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26971)\r\n\r\nPorts that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29946)",
+    "cves": [
+      {
+        "id": "CVE-2021-29946",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29946",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1225": {
+    "id": "openEuler-SA-2023-1225",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1225",
+    "title": "An update for json-smart is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Json-smart is a performance focused, JSON processor lib.\r\n\r\nSecurity Fix(es):\r\n\r\n[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.(CVE-2023-1370)",
+    "cves": [
+      {
+        "id": "CVE-2023-1370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1026": {
+    "id": "openEuler-SA-2023-1026",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1026",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.(CVE-2023-0049)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.(CVE-2023-0051)\r\n\r\nOut-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.(CVE-2023-0054)",
+    "cves": [
+      {
+        "id": "CVE-2023-0054",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0054",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1064": {
+    "id": "openEuler-SA-2023-1064",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1064",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration. One third-party report states \"remote code execution is theoretically possible.\"(CVE-2023-25136)",
+    "cves": [
+      {
+        "id": "CVE-2023-25136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25136",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1404": {
+    "id": "openEuler-SA-2023-1404",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1404",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Go Programming Language\n\nSecurity Fix(es):\n\nOn Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.(CVE-2023-29403)",
+    "cves": [
+      {
+        "id": "CVE-2023-29403",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29403",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1239": {
+    "id": "openEuler-SA-2023-1239",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1239",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "X.Org X11 X server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.(CVE-2023-1393)",
+    "cves": [
+      {
+        "id": "CVE-2023-1393",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1393",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1402": {
+    "id": "openEuler-SA-2021-1402",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1402",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The go programming language\r\n\r\nSecurity Fix(es):\r\n\r\nGo before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.(CVE-2021-33195)\n\nIn archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive s header) can cause a NewReader or OpenReader panic.(CVE-2021-33196)\n\nIn Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.(CVE-2021-33197)\n\nIn Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.(CVE-2021-33198)\n\nThe crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.(CVE-2021-34558)\n\nGo before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.(CVE-2021-29923)\n\nGo before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.(CVE-2021-38297)\n\nGo before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.(CVE-2021-36221)",
+    "cves": [
+      {
+        "id": "CVE-2021-36221",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36221",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1148": {
+    "id": "openEuler-SA-2024-1148",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1148",
+    "title": "An update for three-eight-nine-ds-base is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.(CVE-2024-1062)",
+    "cves": [
+      {
+        "id": "CVE-2024-1062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1062",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1118": {
+    "id": "openEuler-SA-2021-1118",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1118",
+    "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of the user running such an application.(CVE-2020-27814)\r\n\r\nTheres a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openjp2/pi.c. When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bounds read. The greatest impact from this flaw is to application availability.(CVE-2020-27841)\r\n\r\nA flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.(CVE-2020-27843)\r\n\r\nTheres a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpegs conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability.(CVE-2020-27845)",
+    "cves": [
+      {
+        "id": "CVE-2020-27845",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27845",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1716": {
+    "id": "openEuler-SA-2022-1716",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1716",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.(CVE-2021-3507)\r\n\r\nA stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.(CVE-2021-3611)",
+    "cves": [
+      {
+        "id": "CVE-2021-3611",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3611",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1444": {
+    "id": "openEuler-SA-2023-1444",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1444",
+    "title": "An update for elfutils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Elfutils is a collection of utilities, including stack (to show backtraces), nm (for listing symbols from object files), size (for listing the section sizes of an object or archive file), strip (for discarding symbols), elflint (to check for well-formed ELF files) and elfcompress (to compress or decompress ELF sections). Also included are helper libraries which implement DWARF, ELF, and machine-specific ELF handling and process introspection. It also provides a DSO which allows reading and writing ELF files on a high level. Third party programs depend on this package to read internals of ELF files. Yama sysctl setting to enable default attach scope settings enabling programs to use ptrace attach, access to /proc/PID/{mem,personality,stack,syscall}, and the syscalls process_vm_readv and process_vm_writev which are used for interprocess services, communication and introspection (like synchronisation, signaling, debugging, tracing and profiling) of processes.\n\nSecurity Fix(es):\n\nIn elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file.(CVE-2021-33294)",
+    "cves": [
+      {
+        "id": "CVE-2021-33294",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33294",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1107": {
+    "id": "openEuler-SA-2023-1107",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1107",
+    "title": "An update for openssl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThe public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215)\r\n\r\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)\r\n\r\nThe function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450)\n\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286)",
+    "cves": [
+      {
+        "id": "CVE-2023-0286",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1274": {
+    "id": "openEuler-SA-2021-1274",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1274",
+    "title": "An update for python-sqlalchemy is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. It contains a powerful mapping layer that users can choose to work as automatically or as manually, determining relationships based on foreign keys or to bridge the gap between database and domain by letting you define the join conditions explicitly.\r\n\r\nSecurity Fix(es):\r\n\r\nSQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.(CVE-2019-7548)",
+    "cves": [
+      {
+        "id": "CVE-2019-7548",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7548",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1177": {
+    "id": "openEuler-SA-2024-1177",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1177",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nTransmit requests in Xen's virtual network protocol can consist of\nmultiple parts.  While not really useful, except for the initial part\nany of them may be of zero length, i.e. carry no data at all.  Besides a\ncertain initial portion of the to be transferred data, these parts are\ndirectly translated into what Linux calls SKB fragments.  Such converted\nrequest parts can, when for a particular SKB they are all of length\nzero, lead to a de-reference of NULL in core networking code.\n(CVE-2023-46838)\r\n\r\nA flaw in the routing table size was found in the ICMPv6 handling of \"Packet Too Big\". The size of the routing table is regulated by periodic garbage collection. However, with \"Packet Too Big Messages\" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-52340)\r\n\r\nA null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2024-0841)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\r\n\r\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\r\n\r\n(CVE-2024-1086)",
+    "cves": [
+      {
+        "id": "CVE-2024-1086",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1189": {
+    "id": "openEuler-SA-2023-1189",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1189",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\r\n\r\nSecurity Fix(es):\r\n\r\nISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 and 3.6.0 to 3.6.11 allows denial of service via packet injection or crafted capture file(CVE-2023-1161)",
+    "cves": [
+      {
+        "id": "CVE-2023-1161",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1161",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1888": {
+    "id": "openEuler-SA-2022-1888",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1888",
+    "title": "An update for net-snmp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6. The suite includes:\n\n+\t\t- An extensible agent for responding to SNMP queries including built-in\n+\t\tsupport for a wide range of MIB information modules\n+\t\t- Command-line applications to retrieve and manipulate information from\n+\t\tSNMP-capable devices\n+\t\t- A daemon application for receiving SNMP notifications\n+\t\t- A library for developing new SNMP applications, with C and Perl APIs\n+\t\t- A graphical MIB browser.\r\n\r\nSecurity Fix(es):\r\n\r\nhttps://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES\nCVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference.(CVE-2022-24809)\r\n\r\nCVE-2022-24807 A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access.\nhttps://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES(CVE-2022-24807)\r\n\r\nhttps://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES\r\n\r\nCVE-2022-24808 A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference(CVE-2022-24808)\r\n\r\n+*5.9.2*:\n+    security:\n+      - These two CVEs can be exploited by a user with read-only credentials:\n+          - CVE-2022-24805 A buffer overflow in the handling of the INDEX of\n+            NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.\n+          - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable\n+            can cause a NULL pointer dereference.\n+      - These CVEs can be exploited by a user with read-write credentials:\n+          - CVE-2022-24806 Improper Input Validation when SETing malformed\n+            OIDs in master agent and subagent simultaneously\n+          - CVE-2022-24807 A malformed OID in a SET request to\n+            SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an\n+            out-of-bounds memory access.\n+          - CVE-2022-24808 A malformed OID in a SET request to\n+            NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference\n+          - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable\n+            can cause a NULL pointer dereference.\n+      - To avoid these flaws, use strong SNMPv3 credentials and do not share them.\n+        If you must use SNMPv1 or SNMPv2c, use a complex community string\n+        and enhance the protection by restricting access to a given IP address range.\n+      - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for\n+        reporting the following CVEs that have been fixed in this release, and\n+        to Arista Networks for providing fixes.(CVE-2022-24805)\r\n\r\nhttps://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES\n CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference.(CVE-2022-24810)\r\n\r\nFrom https://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES\nCVE-2022-24806 Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously(CVE-2022-24806)",
+    "cves": [
+      {
+        "id": "CVE-2022-24806",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24806",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1674": {
+    "id": "openEuler-SA-2022-1674",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1674",
+    "title": "An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Open Build Service (OBS) backend is used to store all sources and binaries.It also calculates the need for new build jobs and distributes it.\n\nSecurity Fix(es):\n\nA Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.(CVE-2022-21949)",
+    "cves": [
+      {
+        "id": "CVE-2022-21949",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21949",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1569": {
+    "id": "openEuler-SA-2022-1569",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1569",
+    "title": "An update for libsolv is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A free package dependency solver using a satisfiability algorithm. The library is based on two major, but independent, blocks:\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nTwo heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.(CVE-2021-44568)\r\n\r\nA heap overflow vulnerability exisfts in openSUSE libsolv through 13 Dec 2020 in the prefer_suggested function at src/policy.c: line 442.(CVE-2021-44571)\r\n\r\nTwo heap-overflow vulnerabilities exist in openSUSE libsolv through 13 Dec 2020 bugs in the propagate function at src/solver.c: line 490 and 524.(CVE-2021-44577)\r\n\r\nTwo heap overflow vulnerabilities exist in oenSUSE libsolv through 13 Dec 2020 in the resolve_installed function at src/solver.c: line 1728 & 1766.(CVE-2021-44573)\r\n\r\nA heap-overflow vulnerability exists in openSUSE libsolv through 13 Dec 2020 in the resolve_jobrules function at src/solver.c at line 1599.(CVE-2021-44574)\r\n\r\nTwo memory vulnerabilities exists in openSUSE libsolv through 13 Dec 2020 in the resolve_weak function at src/solver.c: line 2222 and 2249.(CVE-2021-44576)\r\n\r\nA heap-buffer openSUSE libsolv through 13 Dec 2020 exists in the solver_solve function at src/solver.c: line 3445.(CVE-2021-44569)\r\n\r\nTwo heap-overflow vulnerabilities exists in openSUSE libsolv through 13 Dec 2020 in the makeruledecisions function at src/solver.c: line 147 and 307.(CVE-2021-44575)",
+    "cves": [
+      {
+        "id": "CVE-2021-44575",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44575",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1186": {
+    "id": "openEuler-SA-2024-1186",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1186",
+    "title": "An update for shim is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)",
+    "cves": [
+      {
+        "id": "CVE-2023-0464",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1820": {
+    "id": "openEuler-SA-2024-1820",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1820",
+    "title": "An update for rubygem-rack is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers,  web frameworks, and software in between (the so-called middleware) into  a single method call.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\r\n\r\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
+    "cves": [
+      {
+        "id": "CVE-2024-26141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1743": {
+    "id": "openEuler-SA-2024-1743",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1743",
+    "title": "An update for libvirt is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.(CVE-2024-4418)",
+    "cves": [
+      {
+        "id": "CVE-2024-4418",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4418",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1502": {
+    "id": "openEuler-SA-2023-1502",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1502",
+    "title": "An update for golang is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1370": {
+    "id": "openEuler-SA-2023-1370",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1370",
+    "title": "An update for python-tornado is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Tornado is an open source version of the scalable, non-blocking web server and tools.\n\nSecurity Fix(es):\n\nOpen redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.(CVE-2023-28370)",
+    "cves": [
+      {
+        "id": "CVE-2023-28370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28370",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1128": {
+    "id": "openEuler-SA-2021-1128",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1128",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.  QEMU has two operating modes:     Full system emulation. In this mode, QEMU emulates a full system (for example a PC),    including one or several processors and various peripherals. It can be used to launch    different Operating Systems without rebooting the PC or to debug system code.     User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.    It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease    cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\r\n\r\nSecurity Fix(es):\r\n\r\nide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.(CVE-2020-29443)\r\n\r\nAn integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-20203)",
+    "cves": [
+      {
+        "id": "CVE-2021-20203",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20203",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1369": {
+    "id": "openEuler-SA-2023-1369",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1369",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.(CVE-2023-33288)\n\nA use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.(CVE-2023-2985)\n\nAn issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.(CVE-2022-48502)",
+    "cves": [
+      {
+        "id": "CVE-2022-48502",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1680": {
+    "id": "openEuler-SA-2023-1680",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1680",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nThe broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.(CVE-2023-28366)",
+    "cves": [
+      {
+        "id": "CVE-2023-28366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28366",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1686": {
+    "id": "openEuler-SA-2023-1686",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686",
+    "title": "An update for iSulad is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nWhen malicious images are pulled by isula pull, attackers can execute arbitrary code.(CVE-2021-33635)\r\n\r\nWhen the isula load command is used to load malicious images, attackers can execute arbitrary code.(CVE-2021-33636)\r\n\r\nWhen the isula export command is used to export a container to an image and the container is controlled by an attacker, the attacker can escape the container.(CVE-2021-33637)\r\n\r\nWhen the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.(CVE-2021-33638)",
+    "cves": [
+      {
+        "id": "CVE-2021-33638",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33638",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1162": {
+    "id": "openEuler-SA-2023-1162",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1162",
+    "title": "An update for snakeyaml is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752)\n\nThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)",
+    "cves": [
+      {
+        "id": "CVE-2022-41854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1390": {
+    "id": "openEuler-SA-2021-1390",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1390",
+    "title": "An update for hiredis is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Hiredis is a minimalistic C client library for the Redis database. It is minimalistic because it just adds minimal support for the protocol, but at the same time it uses a high level printf-alike API in order to make it much higher level than otherwise suggested by its minimal code base and the lack of explicit bindings for every Redis command.\r\n\r\nSecurity Fix(es):\r\n\r\nHiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](https://github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible.(CVE-2021-32765)",
+    "cves": [
+      {
+        "id": "CVE-2021-32765",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32765",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1170": {
+    "id": "openEuler-SA-2023-1170",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1170",
+    "title": "An update for glusterfs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.(CVE-2023-26253)",
+    "cves": [
+      {
+        "id": "CVE-2023-26253",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26253",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1037": {
+    "id": "openEuler-SA-2023-1037",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1037",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.(CVE-2022-2873)\n\nA use-after-free flaw was found in the Linux kernel?s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-3424)",
+    "cves": [
+      {
+        "id": "CVE-2022-3424",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3424",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1003": {
+    "id": "openEuler-SA-2024-1003",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1003",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications.\r\n\r\nSecurity Fix(es):\r\n\r\nPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634)",
+    "cves": [
+      {
+        "id": "CVE-2022-23634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1377": {
+    "id": "openEuler-SA-2021-1377",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1377",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nsshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.(CVE-2021-41617)",
+    "cves": [
+      {
+        "id": "CVE-2021-41617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41617",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1809": {
+    "id": "openEuler-SA-2023-1809",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1809",
+    "title": "An update for qt is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.(CVE-2023-34410)",
+    "cves": [
+      {
+        "id": "CVE-2023-34410",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1885": {
+    "id": "openEuler-SA-2023-1885",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1885",
+    "title": "An update for vim is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48231)\r\n\r\nVim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48233)\r\n\r\nVim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48234)\r\n\r\nVim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48235)\r\n\r\nVim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48236)\r\n\r\nVim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48237)",
+    "cves": [
+      {
+        "id": "CVE-2023-48237",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1638": {
+    "id": "openEuler-SA-2022-1638",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1638",
+    "title": "An update for nodejs-grunt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Grunt is the JavaScript task runner. Why use a task runner? In one word: automation. The less work you have to do when performing repetitive tasks like minification, compilation, unit testing, linting, etc, the easier your job becomes. After you've configured it, a task runner can do most of that mundane work for you with basically zero effort.\r\n\r\nSecurity Fix(es):\nPath Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.(CVE-2022-0436)",
+    "cves": [
+      {
+        "id": "CVE-2022-0436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0436",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1145": {
+    "id": "openEuler-SA-2023-1145",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1145",
+    "title": "An update for rubygem-activesupport is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization,time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.(CVE-2023-22796)",
+    "cves": [
+      {
+        "id": "CVE-2023-22796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22796",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1780": {
+    "id": "openEuler-SA-2022-1780",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1780",
+    "title": "An update for derby is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Apache Derby, an Apache DB sub-project, is a relational database implemented entirely in Java. Some key advantages include a small footprint, conformance to Java, JDBC, and SQL standards and embedded JDBC driver.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the users control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.(CVE-2018-1313)",
+    "cves": [
+      {
+        "id": "CVE-2018-1313",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1313",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2084": {
+    "id": "openEuler-SA-2022-2084",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2084",
+    "title": "An update for nodejs-fstream is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Provides advanced file system stream objects for Node.js.  These objects are like FS streams, but with stat on them, and support directories and symbolic links, as well as normal files.  Also, you can use them to set the stats on a file, even if you don't change its contents, or to create a symlink, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nfstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.(CVE-2019-13173)",
+    "cves": [
+      {
+        "id": "CVE-2019-13173",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13173",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1720": {
+    "id": "openEuler-SA-2024-1720",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1720",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in OpenSSL. Calling the OpenSSL API SSL_free_buffers function may cause memory to be accessed that was previously freed in some situations.(CVE-2024-4741)",
+    "cves": [
+      {
+        "id": "CVE-2024-4741",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4741",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1020": {
+    "id": "openEuler-SA-2023-1020",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1020",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nkubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.(CVE-2021-25743)",
+    "cves": [
+      {
+        "id": "CVE-2021-25743",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25743",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1666": {
+    "id": "openEuler-SA-2022-1666",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1666",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nusb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.(CVE-2022-28388)\n\nmcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.(CVE-2022-28389)\n\nIn the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.(CVE-2022-28356)",
+    "cves": [
+      {
+        "id": "CVE-2022-28356",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28356",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1547": {
+    "id": "openEuler-SA-2024-1547",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1547",
+    "title": "An update for less is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Less is a pager. A pager is a program that displays text files. Other pagers commonly in use are more and pg. Pagers are often used in command-line environments like the Unix shell and the MS-DOS command prompt to display files.\r\n\r\nSecurity Fix(es):\r\n\r\nless through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.(CVE-2024-32487)",
+    "cves": [
+      {
+        "id": "CVE-2024-32487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1453": {
+    "id": "openEuler-SA-2023-1453",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1453",
+    "title": "An update for samba is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.(CVE-2022-2127)\n\nA vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured \"server signing = required\" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.(CVE-2023-3347)\n\nAn infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.(CVE-2023-34966)\n\nA Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.(CVE-2023-34967)",
+    "cves": [
+      {
+        "id": "CVE-2023-34967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1429": {
+    "id": "openEuler-SA-2021-1429",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1429",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn improper validation of an array index and out of bounds memory read in the Linux kernel s Integrated Services Digital Network (ISDN) functionality was found in the way users call ioctl CMTPCONNADD. A local user could use this flaw to crash the system or starve the resources causing denial of service.(CVE-2021-3896)\r\n\r\nA flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability.(CVE-2021-3760)\r\n\r\nA flaw was found in the Linux kernel s CAPI over Bluetooth connection code. An attacker with a local account can escalate privileges when CAPI (ISDN) hardware connection fails.(CVE-2021-34981)\r\n\r\nSpecifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150(CVE-2020-3702)\r\n\r\nUAF in Android ION memory allocator.(CVE-2021-0929)\r\n\r\nA flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.(CVE-2021-20322)\r\n\r\nA flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel. In this flaw, a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem.(CVE-2021-20320)\r\n\r\nAn issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.(CVE-2021-43389)\n\nUse-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released.(CVE-2020-16119)",
+    "cves": [
+      {
+        "id": "CVE-2020-16119",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16119",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1233": {
+    "id": "openEuler-SA-2021-1233",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1233",
+    "title": "An update for spice is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The SPICE package provides the SPICE server library and client. These components are used to provide access to a remote machine's display and devices.\n\nSecurity Fix(es):\n\nA flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.(CVE-2021-20201)",
+    "cves": [
+      {
+        "id": "CVE-2021-20201",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20201",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1675": {
+    "id": "openEuler-SA-2024-1675",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1675",
+    "title": "An update for runc is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.(CVE-2024-3154)",
+    "cves": [
+      {
+        "id": "CVE-2024-3154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3154",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1824": {
+    "id": "openEuler-SA-2024-1824",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1824",
+    "title": "An update for ruby is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\n REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.(CVE-2024-35176)",
+    "cves": [
+      {
+        "id": "CVE-2024-35176",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35176",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1494": {
+    "id": "openEuler-SA-2022-1494",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1494",
+    "title": "An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "is an open-source BSD-licensed C programming library that  provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution  also includes bsdtar and bsdcpio, full-featured implementations of  tar and cpio that use .\r\n\r\nSecurity Fix(es):\r\n\r\nIncorrect link resolution flaws can occur when extracting archives, resulting in changes to the mode, time, access control list, and flags of files outside the archive. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to gain additional privileges on the system.(CVE-2021-31566)\r\n\r\nIncorrect link resolution flaws when using ACLs to extract symbolic links can lead to changes to the access control list (ACL) of the link target. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to change the ACL of a file on the system and gain more permissions.(CVE-2021-23177)",
+    "cves": [
+      {
+        "id": "CVE-2021-23177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23177",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1590": {
+    "id": "openEuler-SA-2022-1590",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1590",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nregexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression.(CVE-2022-24921)",
+    "cves": [
+      {
+        "id": "CVE-2022-24921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24921",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1119": {
+    "id": "openEuler-SA-2023-1119",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1119",
+    "title": "An update for pesign is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.(CVE-2022-3560)",
+    "cves": [
+      {
+        "id": "CVE-2022-3560",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3560",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1158": {
+    "id": "openEuler-SA-2024-1158",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1158",
+    "title": "An update for zbar is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "ZBar is an open source software suite for reading bar codes from various sources, such as video streams, image files and raw intensity sensors. It supports many popular symbologies (types of bar codes) including EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 39, Interleaved 2 of 5 and QR Code.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40889)\r\n\r\nA stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40890)",
+    "cves": [
+      {
+        "id": "CVE-2023-40890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40890",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1127": {
+    "id": "openEuler-SA-2023-1127",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1127",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.(CVE-2023-0494)",
+    "cves": [
+      {
+        "id": "CVE-2023-0494",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0494",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1061": {
+    "id": "openEuler-SA-2021-1061",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1061",
+    "title": "An update for openjpeg is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the JPEG2000 image tile decoder in OpenJPEG before 1.5.2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file because of incorrect j2k_decode, j2k_read_eoc, and tcd_decode_tile interaction, a related issue to CVE-2013-6045. NOTE: this is not a duplicate of CVE-2013-1447, because the scope of CVE-2013-1447 was specifically defined in http://openwall.com/lists/oss-security/2013/12/04/6 as only \"null pointer dereferences, division by zero, and anything that would just fit as DoS.\"(CVE-2014-0158)",
+    "cves": [
+      {
+        "id": "CVE-2014-0158",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0158",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1168": {
+    "id": "openEuler-SA-2024-1168",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1168",
+    "title": "An update for nodejs is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1677": {
+    "id": "openEuler-SA-2024-1677",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1677",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc3: ep0: fix NULL pointer exception\r\n\r\nThere is no validation of the index from dwc3_wIndex_to_dep() and we might\nbe referring a non-existing ep and trigger a NULL pointer exception. In\ncertain configurations we might use fewer eps and the index might wrongly\nindicate a larger ep index than existing.\r\n\r\nBy adding this validation from the patch we can actually report a wrong\nindex back to the caller.\r\n\r\nIn our usecase we are using a composite device on an older kernel, but\nupstream might use this fix also. Unfortunately, I cannot describe the\nhardware for others to reproduce the issue as it is a proprietary\nimplementation.\r\n\r\n[   82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4\n[   82.966891] Mem abort info:\n[   82.969663]   ESR = 0x96000006\n[   82.972703]   Exception class = DABT (current EL), IL = 32 bits\n[   82.978603]   SET = 0, FnV = 0\n[   82.981642]   EA = 0, S1PTW = 0\n[   82.984765] Data abort info:\n[   82.987631]   ISV = 0, ISS = 0x00000006\n[   82.991449]   CM = 0, WnR = 0\n[   82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc\n[   83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000\n[   83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP\n[   83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)\n[   83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1\n[   83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)\n[   83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c\n[   83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94\r\n\r\n...\r\n\r\n[   83.141788] Call trace:\n[   83.144227]  dwc3_ep0_handle_feature+0x414/0x43c\n[   83.148823]  dwc3_ep0_interrupt+0x3b4/0xc94\n[   83.181546] ---[ end trace aac6b5267d84c32f ]---(CVE-2021-47269)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nisdn: mISDN: netjet: Fix crash in nj_probe:\r\n\r\n'nj_setup' in netjet.c might fail with -EIO and in this case\n'card->irq' is initialized and is bigger than zero. A subsequent call to\n'nj_release' will free the irq that has not been requested.\r\n\r\nFix this bug by deleting the previous assignment to 'card->irq' and just\nkeep the assignment before 'request_irq'.\r\n\r\nThe KASAN's log reveals it:\r\n\r\n[    3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826\nfree_irq+0x100/0x480\n[    3.355112 ] Modules linked in:\n[    3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[    3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[    3.356552 ] RIP: 0010:free_irq+0x100/0x480\n[    3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18\n4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5\nff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80\n[    3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082\n[    3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:\n0000000000000000\n[    3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:\n00000000ffffffff\n[    3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:\n0000000000000000\n[    3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:\n0000000000000000\n[    3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:\nffff888104dc80a8\n[    3.360652 ] FS:  0000000000000000(0000) GS:ffff88817bc00000(0000)\nknlGS:0000000000000000\n[    3.361170 ] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4:\n00000000000006f0\n[    3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[    3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[    3.362175 ] Call Trace:\n[    3.362175 ]  nj_release+0x51/0x1e0\n[    3.362175 ]  nj_probe+0x450/0x950\n[    3.362175 ]  ? pci_device_remove+0x110/0x110\n[    3.362175 ]  local_pci_probe+0x45/0xa0\n[    3.362175 ]  pci_device_probe+0x12b/0x1d0\n[    3.362175 ]  really_probe+0x2a9/0x610\n[    3.362175 ]  driver_probe_device+0x90/0x1d0\n[    3.362175 ]  ? mutex_lock_nested+0x1b/0x20\n[    3.362175 ]  device_driver_attach+0x68/0x70\n[    3.362175 ]  __driver_attach+0x124/0x1b0\n[    3.362175 ]  ? device_driver_attach+0x70/0x70\n[    3.362175 ]  bus_for_each_dev+0xbb/0x110\n[    3.362175 ]  ? rdinit_setup+0x45/0x45\n[    3.362175 ]  driver_attach+0x27/0x30\n[    3.362175 ]  bus_add_driver+0x1eb/0x2a0\n[    3.362175 ]  driver_register+0xa9/0x180\n[    3.362175 ]  __pci_register_driver+0x82/0x90\n[    3.362175 ]  ? w6692_init+0x38/0x38\n[    3.362175 ]  nj_init+0x36/0x38\n[    3.362175 ]  do_one_initcall+0x7f/0x3d0\n[    3.362175 ]  ? rdinit_setup+0x45/0x45\n[    3.362175 ]  ? rcu_read_lock_sched_held+0x4f/0x80\n[    3.362175 ]  kernel_init_freeable+0x2aa/0x301\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  kernel_init+0x18/0x190\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  ret_from_fork+0x1f/0x30\n[    3.362175 ] Kernel panic - not syncing: panic_on_warn set ...\n[    3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[    3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[    3.362175 ] Call Trace:\n[    3.362175 ]  dump_stack+0xba/0xf5\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  panic+0x15a/0x3f2\n[    3.362175 ]  ? __warn+0xf2/0x150\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  __warn+0x108/0x150\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  report_bug+0x119/0x1c0\n[    3.362175 ]  handle_bug+0x3b/0x80\n[    3.362175 ]  exc_invalid_op+0x18/0x70\n[    3.362175 ]  asm_exc_invalid_op+0x12/0x20\n[    3.362175 ] RIP: 0010:free_irq+0x100\n---truncated---(CVE-2021-47284)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances\r\n\r\nAs syzbot reported, there is an use-after-free issue during f2fs recovery:\r\n\r\nUse-after-free write at 0xffff88823bc16040 (in kfence-#10):\n kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486\n f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869\n f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945\n mount_bdev+0x26c/0x3a0 fs/super.c:1367\n legacy_get_tree+0xea/0x180 fs/fs_context.c:592\n vfs_get_tree+0x86/0x270 fs/super.c:1497\n do_new_mount fs/namespace.c:2905 [inline]\n path_mount+0x196f/0x2be0 fs/namespace.c:3235\n do_mount fs/namespace.c:3248 [inline]\n __do_sys_mount fs/namespace.c:3456 [inline]\n __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433\n do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nThe root cause is multi f2fs filesystem instances can race on accessing\nglobal fsync_entry_slab pointer, result in use-after-free issue of slab\ncache, fixes to init/destroy this slab cache only once during module\ninit/destroy procedure to avoid this issue.(CVE-2021-47335)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs\r\n\r\nFan speed minimum can be enforced from sysfs. For example, setting\ncurrent fan speed to 20 is used to enforce fan speed to be at 100%\nspeed, 19 - to be not below 90% speed, etcetera. This feature provides\nability to limit fan speed according to some system wise\nconsiderations, like absence of some replaceable units or high system\nambient temperature.\r\n\r\nRequest for changing fan minimum speed is configuration request and can\nbe set only through 'sysfs' write procedure. In this situation value of\nargument 'state' is above nominal fan speed maximum.\r\n\r\nReturn non-zero code in this case to avoid\nthermal_cooling_device_stats_update() call, because in this case\nstatistics update violates thermal statistics table range.\nThe issues is observed in case kernel is configured with option\nCONFIG_THERMAL_STATISTICS.\r\n\r\nHere is the trace from KASAN:\n[  159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0\n[  159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444\n[  159.545625] Call Trace:\n[  159.548366]  dump_stack+0x92/0xc1\n[  159.552084]  ? thermal_cooling_device_stats_update+0x7d/0xb0\n[  159.635869]  thermal_zone_device_update+0x345/0x780\n[  159.688711]  thermal_zone_device_set_mode+0x7d/0xc0\n[  159.694174]  mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]\n[  159.700972]  ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]\n[  159.731827]  mlxsw_thermal_init+0x763/0x880 [mlxsw_core]\n[  160.070233] RIP: 0033:0x7fd995909970\n[  160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..\n[  160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970\n[  160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001\n[  160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700\n[  160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013\n[  160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013\n[  160.143671]\n[  160.145338] Allocated by task 2924:\n[  160.149242]  kasan_save_stack+0x19/0x40\n[  160.153541]  __kasan_kmalloc+0x7f/0xa0\n[  160.157743]  __kmalloc+0x1a2/0x2b0\n[  160.161552]  thermal_cooling_device_setup_sysfs+0xf9/0x1a0\n[  160.167687]  __thermal_cooling_device_register+0x1b5/0x500\n[  160.173833]  devm_thermal_of_cooling_device_register+0x60/0xa0\n[  160.180356]  mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]\n[  160.248140]\n[  160.249807] The buggy address belongs to the object at ffff888116163400\n[  160.249807]  which belongs to the cache kmalloc-1k of size 1024\n[  160.263814] The buggy address is located 64 bytes to the right of\n[  160.263814]  1024-byte region [ffff888116163400, ffff888116163800)\n[  160.277536] The buggy address belongs to the page:\n[  160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160\n[  160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0\n[  160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)\n[  160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0\n[  160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000\n[  160.327033] page dumped because: kasan: bad access detected\n[  160.333270]\n[  160.334937] Memory state around the buggy address:\n[  160.356469] >ffff888116163800: fc ..(CVE-2021-47393)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nptp: Fix possible memory leak in ptp_clock_register()\r\n\r\nI got memory leak as follows when doing fault injection test:\r\n\r\nunreferenced object 0xffff88800906c618 (size 8):\n  comm \"i2c-idt82p33931\", pid 4421, jiffies 4294948083 (age 13.188s)\n  hex dump (first 8 bytes):\n    70 74 70 30 00 00 00 00                          ptp0....\n  backtrace:\n    [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0\n    [<0000000079f6e2ff>] kvasprintf+0xb5/0x150\n    [<0000000026aae54f>] kvasprintf_const+0x60/0x190\n    [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150\n    [<000000004e35abdd>] dev_set_name+0xc0/0x100\n    [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]\n    [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]\r\n\r\nWhen posix_clock_register() returns an error, the name allocated\nin dev_set_name() will be leaked, the put_device() should be used\nto give up the device reference, then the name will be freed in\nkobject_cleanup() and other memory will be freed in ptp_clock_release().(CVE-2021-47455)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()\r\n\r\nCommit 8c0eb596baa5 (\"[SCSI] qla2xxx: Fix a memory leak in an error path of\nqla2x00_process_els()\"), intended to change:\r\n\r\n        bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN\r\n\r\n\n        bsg_job->request->msgcode != FC_BSG_RPT_ELS\r\n\r\nbut changed it to:\r\n\r\n        bsg_job->request->msgcode == FC_BSG_RPT_ELS\r\n\r\ninstead.\r\n\r\nChange the == to a != to avoid leaking the fcport structure or freeing\nunallocated memory.(CVE-2021-47473)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmem: Fix shift-out-of-bound (UBSAN) with byte size cells\r\n\r\nIf a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic\r\n\r\n *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);\r\n\r\nwill become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we\nsubtract one from that making a large number that is then shifted more than the\nnumber of bits that fit into an unsigned long.\r\n\r\nUBSAN reports this problem:\r\n\r\n UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8\n shift exponent 64 is too large for 64-bit type 'unsigned long'\n CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9\n Hardware name: Google Lazor (rev3+) with KB Backlight (DT)\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n  dump_backtrace+0x0/0x170\n  show_stack+0x24/0x30\n  dump_stack_lvl+0x64/0x7c\n  dump_stack+0x18/0x38\n  ubsan_epilogue+0x10/0x54\n  __ubsan_handle_shift_out_of_bounds+0x180/0x194\n  __nvmem_cell_read+0x1ec/0x21c\n  nvmem_cell_read+0x58/0x94\n  nvmem_cell_read_variable_common+0x4c/0xb0\n  nvmem_cell_read_variable_le_u32+0x40/0x100\n  a6xx_gpu_init+0x170/0x2f4\n  adreno_bind+0x174/0x284\n  component_bind_all+0xf0/0x264\n  msm_drm_bind+0x1d8/0x7a0\n  try_to_bring_up_master+0x164/0x1ac\n  __component_add+0xbc/0x13c\n  component_add+0x20/0x2c\n  dp_display_probe+0x340/0x384\n  platform_probe+0xc0/0x100\n  really_probe+0x110/0x304\n  __driver_probe_device+0xb8/0x120\n  driver_probe_device+0x4c/0xfc\n  __device_attach_driver+0xb0/0x128\n  bus_for_each_drv+0x90/0xdc\n  __device_attach+0xc8/0x174\n  device_initial_probe+0x20/0x2c\n  bus_probe_device+0x40/0xa4\n  deferred_probe_work_func+0x7c/0xb8\n  process_one_work+0x128/0x21c\n  process_scheduled_works+0x40/0x54\n  worker_thread+0x1ec/0x2a8\n  kthread+0x138/0x158\n  ret_from_fork+0x10/0x20\r\n\r\nFix it by making sure there are any bits to mask out.(CVE-2021-47497)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: mpt3sas: Fix use-after-free warning\r\n\r\nFix the following use-after-free warning which is observed during\ncontroller reset:\r\n\r\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0(CVE-2022-48695)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmet: fix a use-after-free\r\n\r\nFix the following use-after-free complaint triggered by blktests nvme/004:\r\n\r\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30(CVE-2022-48697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\r\n\r\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\r\n\r\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\r\n\r\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\r\n\r\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G        W IOE      6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002    07/22/2010\nCall Trace:\n<TASK>\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd(CVE-2022-48702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: add a force flush to delay work when radeon\r\n\r\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [<ffffffff811bea5c>]  ra = [<ffffffff81240844>]  ps = 0000 Tainted: G        W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000  t0 = fff08800e0008010  t1 = 0000000000010000\nt2 = 0000000000008010  t3 = fff00007e3c00000  t4 = fff00007e3c00258\nt5 = 000000000000ffff  t6 = 0000000000000001  t7 = fff00007ef078000\ns0 = fff00007e3c016e8  s1 = fff00007e3c00000  s2 = fff00007e3c00018\ns3 = fff00007e3c00000  s4 = fff00007fff59d80  s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000  a1 = fff00007e3c016e8  a2 = 0000000000000008\na3 = 0000000000000001  a4 = 8f5c28f5c28f5c29  a5 = ffffffff810f4338\nt8 = 0000000000000275  t9 = ffffffff809b66f8  t10 = ff6769c5d964b800\nt11= 000000000000b886  pv = ffffffff811bea20  at = 0000000000000000\ngp = ffffffff81d89690  sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0\n[<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290\n[<ffffffff80977010>] process_one_work+0x280/0x550\n[<ffffffff80977350>] worker_thread+0x70/0x7c0\n[<ffffffff80977410>] worker_thread+0x130/0x7c0\n[<ffffffff80982040>] kthread+0x200/0x210\n[<ffffffff809772e0>] worker_thread+0x0/0x7c0\n[<ffffffff80981f8c>] kthread+0x14c/0x210\n[<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20\n[<ffffffff80981e40>] kthread+0x0/0x210\n Code: ad3e0008  43f0074a  ad7e0018  ad9e0020  8c3001e8  40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem.(CVE-2022-48704)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: fix a possible null pointer dereference\r\n\r\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\r\n\r\nThe failure status of drm_cvt_mode() on the other path is checked too.(CVE-2022-48710)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\r\n\r\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.(CVE-2023-52650)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNTB: fix possible name leak in ntb_register_device()\r\n\r\nIf device_register() fails in ntb_register_device(), the device name\nallocated by dev_set_name() should be freed. As per the comment in\ndevice_register(), callers should use put_device() to give up the\nreference in the error path. So fix this by calling put_device() in the\nerror path so that the name can be freed in kobject_cleanup().\r\n\r\nAs a result of this, put_device() in the error path of\nntb_register_device() is removed and the actual error is returned.\r\n\r\n[mani: reworded commit message](CVE-2023-52652)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: fix a memleak in gss_import_v2_context\r\n\r\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\r\n\r\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.(CVE-2023-52653)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: drop any code related to SCM_RIGHTS\r\n\r\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.(CVE-2023-52656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: LPIT: Avoid u32 multiplication overflow\r\n\r\nIn lpit_update_residency() there is a possibility of overflow\nin multiplication, if tsc_khz is large enough (> UINT_MAX/1000).\r\n\r\nChange multiplication to mul_u32_u32().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52683)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/pm: fix a double-free in si_dpm_init\r\n\r\nWhen the allocation of\nadev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.(CVE-2023-52691)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncalipso: fix memory leak in netlbl_calipso_add_pass()\r\n\r\nIf IPv6 support is disabled at boot (ipv6.disable=1),\nthe calipso_init() -> netlbl_calipso_ops_register() function isn't called,\nand the netlbl_calipso_ops_get() function always returns NULL.\nIn this case, the netlbl_calipso_add_pass() function allocates memory\nfor the doi_def variable but doesn't free it with the calipso_doi_free().\r\n\r\nBUG: memory leak\nunreferenced object 0xffff888011d68180 (size 64):\n  comm \"syz-executor.1\", pid 10746, jiffies 4295410986 (age 17.928s)\n  hex dump (first 32 bytes):\n    00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<...>] kmalloc include/linux/slab.h:552 [inline]\n    [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]\n    [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111\n    [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n    [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n    [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n    [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515\n    [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n    [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n    [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339\n    [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934\n    [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]\n    [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671\n    [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342\n    [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396\n    [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429\n    [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n    [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6\r\n\r\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller\r\n\r\n[PM: merged via the LSM tree at Jakub Kicinski request](CVE-2023-52698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\r\n\r\nWe found a hungtask bug in test_aead_vec_cfg as follows:\r\n\r\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\r\n\r\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst->flags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon't call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(&wait->completion), which will cause\nhungtask.\r\n\r\nThe problem comes as following:\n(padata_do_parallel)                 |\n    rcu_read_lock_bh();              |\n    err = -EINVAL;                   |   (padata_replace)\n                                     |     pinst->flags |= PADATA_RESET;\n    err = -EBUSY                     |\n    if (pinst->flags & PADATA_RESET) |\n        rcu_read_unlock_bh()         |\n        return err\r\n\r\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\r\n\r\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask.(CVE-2023-52813)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL\r\n\r\nIn certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:\r\n\r\n1. Navigate to the directory: /sys/kernel/debug/dri/0\n2. Execute command: cat amdgpu_regs_smc\n3. Exception Log::\n[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[4005007.702562] #PF: supervisor instruction fetch in kernel mode\n[4005007.702567] #PF: error_code(0x0010) - not-present page\n[4005007.702570] PGD 0 P4D 0\n[4005007.702576] Oops: 0010 [#1] SMP NOPTI\n[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G           OE     5.15.0-43-generic #46-Ubunt       u\n[4005007.702590] RIP: 0010:0x0\n[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\n[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206\n[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68\n[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000\n[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980\n[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000\n[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000\n[4005007.702622] FS:  00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000\n[4005007.702626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0\n[4005007.702633] Call Trace:\n[4005007.702636]  <TASK>\n[4005007.702640]  amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]\n[4005007.703002]  full_proxy_read+0x5c/0x80\n[4005007.703011]  vfs_read+0x9f/0x1a0\n[4005007.703019]  ksys_read+0x67/0xe0\n[4005007.703023]  __x64_sys_read+0x19/0x20\n[4005007.703028]  do_syscall_64+0x5c/0xc0\n[4005007.703034]  ? do_user_addr_fault+0x1e3/0x670\n[4005007.703040]  ? exit_to_user_mode_prepare+0x37/0xb0\n[4005007.703047]  ? irqentry_exit_to_user_mode+0x9/0x20\n[4005007.703052]  ? irqentry_exit+0x19/0x30\n[4005007.703057]  ? exc_page_fault+0x89/0x160\n[4005007.703062]  ? asm_exc_page_fault+0x8/0x30\n[4005007.703068]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[4005007.703075] RIP: 0033:0x7f5e07672992\n[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f        1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e       c 28 48 89 54 24\n[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992\n[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003\n[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010\n[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000\n[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\n[4005007.703105]  </TASK>\n[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_       iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t       tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm       i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo       mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v       2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core        drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca\n[4005007.703184] CR2: 0000000000000000\n[4005007.703188] ---[ en\n---truncated---(CVE-2023-52817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/core: Bail out early if the request AUX area is out of bound\r\n\r\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)\r\n\r\nand it reveals a WARNING with __alloc_pages():\r\n\r\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\r\n\r\n'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\r\n\r\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\r\n\r\n    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n    failed to mmap with 12 (Cannot allocate memory)(CVE-2023-52835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: synaptics-rmi4 - fix use after free in rmi_unregister_function()\r\n\r\nThe put_device() calls rmi_release_function() which frees \"fn\" so the\ndereference on the next line \"fn->num_of_irqs\" is a use after free.\nMove the put_device() to the end to fix this.(CVE-2023-52840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: bttv: fix use after free error due to btv->timeout timer\r\n\r\nThere may be some a race condition between timer function\nbttv_irq_timeout and bttv_remove. The timer is setup in\nprobe and there is no timer_delete operation in remove\nfunction. When it hit kfree btv, the function might still be\ninvoked, which will cause use after free bug.\r\n\r\nThis bug is found by static analysis, it may be false positive.\r\n\r\nFix it by adding del_timer_sync invoking to the remove function.\r\n\r\ncpu0                cpu1\n                  bttv_probe\n                    ->timer_setup\n                      ->bttv_set_dma\n                        ->mod_timer;\nbttv_remove\n  ->kfree(btv);\n                  ->bttv_irq_timeout\n                    ->USE btv(CVE-2023-52847)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/radeon: possible buffer overflow\r\n\r\nBuffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is\nchecked after access.(CVE-2023-52867)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nthermal: core: prevent potential string overflow\r\n\r\nThe dev->id value comes from ida_alloc() so it's a number between zero\nand INT_MAX.  If it's too high then these sprintf()s will overflow.(CVE-2023-52868)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: prevent kernel bug at submit_bh_wbc()\r\n\r\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently.  If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\r\n\r\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.(CVE-2024-26955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\r\n\r\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\r\n\r\nThis resolves a kernel BUG reported by syzbot.  Since there are two\nflaws involved, I've made each one a separate patch.\r\n\r\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\r\n\r\n\nThis patch (of 2):\r\n\r\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\r\n\r\nThere are two flaws involved in this issue.\r\n\r\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block().  This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\r\n\r\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state.  This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\r\n\r\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above.  Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.(CVE-2024-26956)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/zcrypt: fix reference counting on zcrypt card objects\r\n\r\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\r\n\r\nThis is an example of the slab message:\r\n\r\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8\n    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---(CVE-2024-26957)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfs: fix UAF in direct writes\r\n\r\nIn production we have been hitting the following warning consistently\r\n\r\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\r\n\r\nThis is because we're completing the nfs_direct_request twice in a row.\r\n\r\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\r\n\r\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\r\n\r\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\r\n\r\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\r\n\r\nnfs_commit_begin();\nnfs_commit_end();\r\n\r\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\r\n\r\nFix this by using the same pattern for the commit requests.\r\n\r\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes.  With my patch the stress test has been running for\nseveral hours without popping.(CVE-2024-26958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: swap: fix race between free_swap_and_cache() and swapoff()\r\n\r\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\r\n\r\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\r\n\r\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\r\n\r\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\r\n\r\n--8<-----\r\n\r\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\r\n\r\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\r\n\r\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\r\n\r\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\r\n\r\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\r\n\r\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\r\n\r\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\r\n\r\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\r\n\r\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\r\n\r\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\r\n\r\n--8<-----(CVE-2024-26960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\r\n\r\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\r\n\r\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\r\n\r\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\r\n\r\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2024-26961)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\r\n\r\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\r\n\r\nOnly compile tested.(CVE-2024-26969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qat - resolve race condition during AER recovery\r\n\r\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\r\n\r\nThis results in a KFENCE bug notice.\r\n\r\n  BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n  Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n  adf_device_reset_worker+0x38/0xa0 [intel_qat]\n  process_one_work+0x173/0x340\r\n\r\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.(CVE-2024-26974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\r\n\r\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put.  Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\r\n\r\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock.  async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\r\n\r\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n  <TASK>\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n       Tainted: G        W          6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1     state:D stack:0     pid:251   ppid:2      flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n  <TASK>\n  __schedule+0x33f/0xa40\n  schedule+0x53/0xc0\n  schedule_timeout+0x12a/0x140\n  __wait_for_common+0x8d/0x1d0\n  __flush_work.isra.0+0x19f/0x2c0\n  kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n  kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n  kvm_put_kvm+0x1c1/0x320 [kvm]\n  async_pf_execute+0x198/0x260 [kvm]\n  process_one_work+0x145/0x2d0\n  worker_thread+0x27e/0x3a0\n  kthread+0xba/0xe0\n  ret_from_fork+0x2d/0x50\n  ret_from_fork_asm+0x11/0x20\n  </TASK>\r\n\r\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed.  And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\r\n\r\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue().  Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay.  kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\r\n\r\n        trace_kvm_async_pf_completed(addr, cr2_or_gpa);\r\n\r\n        __kvm_vcpu_wake_up(vcpu);\r\n\r\n        mmput(mm);\r\n\r\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\r\n\r\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue.  Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\r\n\r\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---(CVE-2024-26976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix OOB in nilfs_set_de_type\r\n\r\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\r\n\r\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\r\n\r\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\r\n\r\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied.  Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.(CVE-2024-26981)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSquashfs: check the inode number is not the invalid value of zero\r\n\r\nSyskiller has produced an out of bounds access in fill_meta_index().\r\n\r\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\r\n\r\nThe reason this causes the out of bounds access is due to following\nsequence of events:\r\n\r\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\r\n\r\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn't been, an out of bounds access is performed.\r\n\r\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\r\n\r\n[phillip@squashfs.org.uk: whitespace fix]\n  Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk(CVE-2024-26982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\r\n\r\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path.  If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called).  As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\r\n\r\nFix the leak by adding an explicit kobject_put() call when kn is NULL.(CVE-2024-26993)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspeakup: Avoid crash on very long word\r\n\r\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.(CVE-2024-26994)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\r\n\r\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\r\n\r\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\r\n\r\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\r\n\r\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\r\n\r\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\r\n\r\n[function unlink via configfs]\n  usb0: eth_stop dev->port_usb=ffffff9b179c3200\n  --> error happens in usb_ep_enable().\n  NCM: ncm_disable: ncm=ffffff9b179c3200\n  --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm\r\n\r\n[function link via configfs]\n  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n  usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm\n  usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n  eth_start_xmit()\n  --> dev->wrap()\n  Unable to handle kernel paging request at virtual address dead00000000014f\r\n\r\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.(CVE-2024-26996)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\r\n\r\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\r\n\r\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\r\n\r\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\r\n\r\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\r\n\r\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.(CVE-2024-26999)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: mxs-auart: add spinlock around changing cts state\r\n\r\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\r\n\r\n    [   85.119255] ------------[ cut here ]------------\n    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n    [   85.151396] Hardware name: Freescale MXS (Device Tree)\n    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n    (...)\n    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n    (...)(CVE-2024-27000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: vmk80xx: fix incomplete endpoint checking\r\n\r\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\r\n\r\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\r\n\r\nThis patch has not been tested on real hardware.\r\n\r\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n <TASK>\n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\r\n\r\nSimilar issue also found by Syzkaller:(CVE-2024-27001)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: nv04: Fix out of bounds access\r\n\r\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\r\n\r\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: Fix mirred deadlock on device recursion\r\n\r\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\r\n\r\n[..... other info removed for brevity....]\n[   82.890906]\n[   82.890906] ============================================\n[   82.890906] WARNING: possible recursive locking detected\n[   82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G        W\n[   82.890906] --------------------------------------------\n[   82.890906] ping/418 is trying to acquire lock:\n[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[   82.890906]\n[   82.890906] but task is already holding lock:\n[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[   82.890906]\n[   82.890906] other info that might help us debug this:\n[   82.890906]  Possible unsafe locking scenario:\n[   82.890906]\n[   82.890906]        CPU0\n[   82.890906]        ----\n[   82.890906]   lock(&sch->q.lock);\n[   82.890906]   lock(&sch->q.lock);\n[   82.890906]\n[   82.890906]  *** DEADLOCK ***\n[   82.890906]\n[..... other info removed for brevity....]\r\n\r\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth0\r\n\r\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth1\r\n\r\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n     action mirred egress redirect dev eth0\r\n\r\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.(CVE-2024-27010)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: fix memleak in map from abort path\r\n\r\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\r\n\r\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\r\n\r\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS:  0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967]  <TASK>\n[ 6170.287973]  ? __warn+0x9f/0x1a0\n[ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092]  ? report_bug+0x1b1/0x1e0\n[ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092]  ? report_bug+0x1b1/0x1e0\n[ 6170.288104]  ? handle_bug+0x3c/0x70\n[ 6170.288112]  ? exc_invalid_op+0x17/0x40\n[ 6170.288120]  ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483]  nf_tables_trans_destroy_work+0x588/0x590 [nf_tables](CVE-2024-27011)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/rds: fix WARNING in rds_conn_connect_if_down\r\n\r\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().(CVE-2024-27024)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: spi-mt65xx: Fix NULL pointer access in interrupt handler\r\n\r\nThe TX buffer in spi_transfer can be a NULL pointer, so the interrupt\nhandler may end up writing to the invalid memory and cause crashes.\r\n\r\nAdd a check to trans->tx_buf before using it.(CVE-2024-27028)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: zynq: Prevent null pointer dereference caused by kmalloc failure\r\n\r\nThe kmalloc() in zynq_clk_setup() will return null if the\nphysical memory has run out. As a result, if we use snprintf()\nto write data to the null address, the null pointer dereference\nbug will happen.\r\n\r\nThis patch uses a stack variable to replace the kmalloc().(CVE-2024-27037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfp: flower: handle acti_netdevs allocation failure\r\n\r\nThe kmalloc_array() in nfp_fl_lag_do_work() will return null, if\nthe physical memory has run out. As a result, if we dereference\nthe acti_netdevs, the null pointer dereference bugs will happen.\r\n\r\nThis patch adds a check to judge whether allocation failure occurs.\nIf it happens, the delayed work will be rescheduled and try again.(CVE-2024-27046)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value\r\n\r\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return 0 in case of error.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-27051)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: fix double module refcount decrement\r\n\r\nOnce the discipline is associated with the device, deleting the device\ntakes care of decrementing the module's refcount.  Doing it manually on\nthis error path causes refcount to artificially decrease on each error\nwhile it should just stay the same.(CVE-2024-27054)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\r\n\r\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands.  The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0.  While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\r\n\r\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0.  This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).(CVE-2024-27059)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnouveau: lock the client object tree.\r\n\r\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\r\n\r\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS:  00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555]  <TASK>\n[ 4562.099573]  ? die_addr+0x36/0x90\n[ 4562.099583]  ? exc_general_protection+0x246/0x4a0\n[ 4562.099593]  ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600]  ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730]  nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861]  nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986]  nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156]  ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163]  ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182]  ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189]  nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356]  __do_fault+0x32/0x150\n[ 4562.100362]  do_fault+0x7c/0x560\n[ 4562.100369]  __handle_mm_fault+0x800/0xc10\n[ 4562.100382]  handle_mm_fault+0x17c/0x3e0\n[ 4562.100388]  do_user_addr_fault+0x208/0x860\n[ 4562.100395]  exc_page_fault+0x7f/0x200\n[ 4562.100402]  asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446]  </TASK>\n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---(CVE-2024-27062)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: usbtv: Remove useless locks in usbtv_video_free()\r\n\r\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\r\n\r\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\r\n\r\n\n[hverkuil: fix minor spelling mistake in log message](CVE-2024-27072)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ttpci: fix two memleaks in budget_av_attach\r\n\r\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.(CVE-2024-27073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-frontends: avoid stack overflow warnings with clang\r\n\r\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\r\n\r\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\r\n\r\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.(CVE-2024-27075)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity\r\n\r\nThe entity->name (i.e. name) is allocated in v4l2_m2m_register_entity\nbut isn't freed in its following error-handling paths. This patch\nadds such deallocation to prevent memleak of entity->name.(CVE-2024-27077)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: v4l2-tpg: fix some memleaks in tpg_alloc\r\n\r\nIn tpg_alloc, resources should be deallocated in each and every\nerror-handling paths, since they are allocated in for statements.\nOtherwise there would be memleaks because tpg_free is called only when\ntpg_alloc return 0.(CVE-2024-27078)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: fix some memleaks in gssx_dec_option_array\r\n\r\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.(CVE-2024-27388)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_flow_offload: reset dst in route object after setting up flow\r\n\r\ndst is transferred to the flow object, route object does not own it\nanymore.  Reset dst in route object, otherwise if flow_offload_add()\nfails, error path releases dst twice, leading to a refcount underflow.(CVE-2024-27403)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Fix data-races around sysctl_net_busy_read\r\n\r\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.(CVE-2024-27419)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27426)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27427)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-27428)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm snapshot: fix lockup in dm_exception_table_exit\r\n\r\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.(CVE-2024-35805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\r\n\r\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.(CVE-2024-35806)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\r\n\r\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.(CVE-2024-35815)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: fix a double-free in arfs_create_groups\r\n\r\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft->g and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft->g will be freed again.(CVE-2024-35835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix infinite recursion in fib6_dump_done().\r\n\r\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\r\n\r\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\r\n\r\n  12:01:34 executing program 3:\n  r0 = socket$nl_route(0x10, 0x3, 0x0)\n  sendmsg$nl_route(r0, ... snip ...)\n  recvmmsg(r0, ... snip ...) (fail_nth: 8)\r\n\r\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\r\n\r\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\r\n\r\nTo avoid the issue, let's set the destructor after kzalloc().\r\n\r\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\r\n\r\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n </#DF>\n <TASK>\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---(CVE-2024-35886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\r\n\r\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.(CVE-2024-35898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbmon: prevent division by zero in fb_videomode_from_videomode()\r\n\r\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35922)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\r\n\r\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status.  In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\r\n\r\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.(CVE-2024-35930)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\r\n\r\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\r\n\r\n- at first the search key is set up to look for a chunk tree item, with\n  offset -1, this is an inexact search and the key->offset will contain\n  the correct offset upon a successful search, a valid chunk tree item\n  cannot have an offset -1\r\n\r\n- after first successful search, the found_key corresponds to a chunk\n  item, the offset is decremented by 1 before the next loop, it's\n  impossible to find a chunk item there due to alignment and size\n  constraints(CVE-2024-35936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\r\n\r\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.(CVE-2024-35950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\r\n\r\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\r\n\r\nMake sure to validate setsockopt() @optlen parameter.\r\n\r\n[1]\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\r\n\r\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n </TASK>\r\n\r\nAllocated by task 7549:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3966 [inline]\n  __kmalloc+0x233/0x4a0 mm/slub.c:3979\n  kmalloc include/linux/slab.h:632 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\r\n\r\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n  set_page_owner include/linux/page_owner.h:31 [inline]\n  post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n  prep_new_page mm/page_alloc.c:\n---truncated---(CVE-2024-35976)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\r\n\r\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\r\n\r\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\r\n\r\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\r\n\r\nDelete this unnecessary flag.(CVE-2024-35997)",
+    "cves": [
+      {
+        "id": "CVE-2023-52868",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52868",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2024-26960",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-35997",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1484": {
+    "id": "openEuler-SA-2022-1484",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1484",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).(CVE-2021-43976)\r\n\r\nIn bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References: Upstream kernel(CVE-2021-0941)\r\n\r\nIn __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.(CVE-2021-45469)\r\n\r\nA use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.(CVE-2021-44733)\r\n\r\nIn ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-194696049References: Upstream kernel(CVE-2021-39657)\r\n\r\nA flaw memory leak in the Linux kernel s eBPF for the Simulated networking device driver in the way user uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this flaw to get unauthorized access to some data.(CVE-2021-4135)\r\n\r\nThere are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long. Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time.(CVE-2021-28715)\r\n\r\nThe timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing.(CVE-2021-28714)\r\n\r\nRunning PV backends in driver domains has one primary security advantage, if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. (CVE-2021-28713)\r\n\r\nRunning PV backends in driver domains has one primary security advantage, if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. (CVE-2021-28712)\r\n\r\nRunning PV backends in driver domains has one primary security advantage, if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. (CVE-2021-28711)",
+    "cves": [
+      {
+        "id": "CVE-2021-28711",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28711",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1065": {
+    "id": "openEuler-SA-2021-1065",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1065",
+    "title": "An update for php is now available for openEuler-20.03-LTS",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.(CVE-2020-7070)\r\n\r\nIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.(CVE-2020-7069)",
+    "cves": [
+      {
+        "id": "CVE-2020-7069",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7069",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1295": {
+    "id": "openEuler-SA-2023-1295",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1295",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.(CVE-2023-24607)",
+    "cves": [
+      {
+        "id": "CVE-2023-24607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1358": {
+    "id": "openEuler-SA-2023-1358",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1358",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\n\nSecurity Fix(es):\n\nc-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n(CVE-2023-31130)\n\nc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)",
+    "cves": [
+      {
+        "id": "CVE-2023-31147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1527": {
+    "id": "openEuler-SA-2024-1527",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1527",
+    "title": "An update for podman is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.(CVE-2022-32149)",
+    "cves": [
+      {
+        "id": "CVE-2022-32149",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1794": {
+    "id": "openEuler-SA-2022-1794",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1794",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Linux kernel was found vulnerable out of bounds memory access in the drivers/video/fbdev/sm712fb.c:smtcfb_read() function. The vulnerability could result in local attackers being able to crash the kernel.(CVE-2022-2380)\n\nIn USB driver, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216825460References: Upstream kernel(CVE-2022-20227)\n\nKernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled.(CVE-2022-21505)",
+    "cves": [
+      {
+        "id": "CVE-2022-21505",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21505",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1141": {
+    "id": "openEuler-SA-2024-1141",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1141",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.(CVE-2023-51043)\r\n\r\nA use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.(CVE-2023-6531)",
+    "cves": [
+      {
+        "id": "CVE-2023-6531",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1084": {
+    "id": "openEuler-SA-2021-1084",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1084",
+    "title": "An update for kata-containers is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is core component of Kata Container, to make it work, you need a isulad/docker engine.\r\n\r\nSecurity Fix(es):\r\n\r\nAn improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.(CVE-2020-28914)",
+    "cves": [
+      {
+        "id": "CVE-2020-28914",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28914",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1318": {
+    "id": "openEuler-SA-2021-1318",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1318",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.(CVE-2021-3679)\r\n\r\ndrivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations.(CVE-2021-38204)\r\n\r\ndrivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel before 5.13.3 makes it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer).(CVE-2021-38205)\r\n\r\nnet/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.(CVE-2021-38209)\r\n\r\nfs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect connection-setup ordering, which allows operators of remote NFSv4 servers to cause a denial of service (hanging of mounts) by arranging for those servers to be unreachable during trunking detection.(CVE-2021-38199)\r\n\r\ndrivers/net/ethernet/xilinx/ll_temac_main.c in the Linux kernel before 5.12.13 allows remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes.(CVE-2021-38207)\r\n\r\nnet/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call.(CVE-2021-38208)",
+    "cves": [
+      {
+        "id": "CVE-2021-38208",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38208",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1490": {
+    "id": "openEuler-SA-2024-1490",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1490",
+    "title": "An update for flatpak is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.(CVE-2024-32462)",
+    "cves": [
+      {
+        "id": "CVE-2024-32462",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32462",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1195": {
+    "id": "openEuler-SA-2024-1195",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1195",
+    "title": "An update for python-jwcrypto is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Implements JWK, JWS, JWE specifications with python-cryptography\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.(CVE-2023-6681)",
+    "cves": [
+      {
+        "id": "CVE-2023-6681",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6681",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1486": {
+    "id": "openEuler-SA-2022-1486",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1486",
+    "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\r\nSecurity Fix(es):\r\n\r\nThere's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability.(CVE-2020-27842)",
+    "cves": [
+      {
+        "id": "CVE-2020-27842",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27842",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1806": {
+    "id": "openEuler-SA-2023-1806",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1806",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\r\n\r\n(CVE-2023-31122)\r\n\r\nWhen a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n(CVE-2023-45802)",
+    "cves": [
+      {
+        "id": "CVE-2023-45802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45802",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1871": {
+    "id": "openEuler-SA-2022-1871",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1871",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nNon-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-26373)\n\nA use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local, privileged attacker to crash the system, possibly leading to a local privilege escalation issue.(CVE-2022-2588)",
+    "cves": [
+      {
+        "id": "CVE-2022-2588",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2588",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1792": {
+    "id": "openEuler-SA-2023-1792",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1792",
+    "title": "An update for sqlite-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "SQLite JDBC, is a library for accessing and creating SQLite database files in Java.\r\n\r\nSecurity Fix(es):\r\n\r\nSQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.\n(CVE-2023-32697)",
+    "cves": [
+      {
+        "id": "CVE-2023-32697",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32697",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1919": {
+    "id": "openEuler-SA-2023-1919",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1919",
+    "title": "An update for haproxy is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nAn information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.(CVE-2023-0836)\r\n\r\nHAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.(CVE-2023-45539)",
+    "cves": [
+      {
+        "id": "CVE-2023-45539",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1826": {
+    "id": "openEuler-SA-2023-1826",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1826",
+    "title": "An update for gdb is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.(CVE-2023-39129)",
+    "cves": [
+      {
+        "id": "CVE-2023-39129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1704": {
+    "id": "openEuler-SA-2022-1704",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1704",
+    "title": "An update for runc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.(CVE-2022-29162)",
+    "cves": [
+      {
+        "id": "CVE-2022-29162",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29162",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1136": {
+    "id": "openEuler-SA-2021-1136",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1136",
+    "title": "An update for hibernate3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900)",
+    "cves": [
+      {
+        "id": "CVE-2019-14900",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14900",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1722": {
+    "id": "openEuler-SA-2023-1722",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1722",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn inefficient regular expression complexity was found in Django. The text truncator regular expressions exhibit linear backtracking complexity, which can be slow, leading to a potential denial of service, given certain HTML inputs.(CVE-2023-43665)",
+    "cves": [
+      {
+        "id": "CVE-2023-43665",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43665",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1828": {
+    "id": "openEuler-SA-2022-1828",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1828",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nPossible cross-site scripting vulnerability in libxml after commit 960f0e2.(CVE-2016-3709)",
+    "cves": [
+      {
+        "id": "CVE-2016-3709",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3709",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1206": {
+    "id": "openEuler-SA-2021-1206",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1206",
+    "title": "An update for bind is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.(CVE-2021-25214)\r\n\r\nIn BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.(CVE-2021-25215)",
+    "cves": [
+      {
+        "id": "CVE-2021-25215",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25215",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1405": {
+    "id": "openEuler-SA-2023-1405",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1405",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.(CVE-2023-3195)",
+    "cves": [
+      {
+        "id": "CVE-2023-3195",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3195",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1569": {
+    "id": "openEuler-SA-2023-1569",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1569",
+    "title": "An update for libpq is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).(CVE-2020-21469)\r\n\r\nschema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.(CVE-2023-2454)\r\n\r\nRow security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.(CVE-2023-2455)\r\n\r\nA vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.(CVE-2023-39418)",
+    "cves": [
+      {
+        "id": "CVE-2023-39418",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1818": {
+    "id": "openEuler-SA-2023-1818",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1818",
+    "title": "An update for GraphicsMagick is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.(CVE-2020-21679)",
+    "cves": [
+      {
+        "id": "CVE-2020-21679",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21679",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1440": {
+    "id": "openEuler-SA-2024-1440",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1440",
+    "title": "An update for jose is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "José is a C-language implementation of the Javascript Object Signing and Encryption standards. José provides a command-line utility which encompasses most of the JOSE features. This allows for easy integration into your project and one-off scripts.\r\n\r\nSecurity Fix(es):\r\n\r\nlatchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.(CVE-2023-50967)",
+    "cves": [
+      {
+        "id": "CVE-2023-50967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50967",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1485": {
+    "id": "openEuler-SA-2022-1485",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1485",
+    "title": "An update for numpy is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A fast multidimensional array facility for Python.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values.(CVE-2021-41496)",
+    "cves": [
+      {
+        "id": "CVE-2021-41496",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41496",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1434": {
+    "id": "openEuler-SA-2023-1434",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1434",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\n\nSecurity Fix(es):\n\nA vulnerability was found in libtiff where a memory leak exists in tools/tiffcrop.c.\n\nReferences:\nhttps://gitlab.com/libtiff/libtiff/-/merge_requests/475(CVE-2023-3576)",
+    "cves": [
+      {
+        "id": "CVE-2023-3576",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3576",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1354": {
+    "id": "openEuler-SA-2021-1354",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1354",
+    "title": "An update for libsndfile is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Libsndfile is a C library for reading and writing files containing sampled sound such as MS Windows WAV and the Apple/SGI AIFF format through one standard library interface.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow flaw was found in libsndfile. This flaw allows an attacker to execute arbitrary code via a crafted WAV file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3246)",
+    "cves": [
+      {
+        "id": "CVE-2021-3246",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3246",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1754": {
+    "id": "openEuler-SA-2022-1754",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1754",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.(CVE-2022-2085)",
+    "cves": [
+      {
+        "id": "CVE-2022-2085",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2085",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1567": {
+    "id": "openEuler-SA-2022-1567",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1567",
+    "title": "An update for zsh is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of the useful features of bash, ksh, and tcsh were incorporated into zsh. It can match files by file extension without running an external program, share command history with any shell, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.(CVE-2021-45444)",
+    "cves": [
+      {
+        "id": "CVE-2021-45444",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45444",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1551": {
+    "id": "openEuler-SA-2024-1551",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1551",
+    "title": "An update for libyaml is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A C library for parsing and emitting YAML.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.(CVE-2024-3205)",
+    "cves": [
+      {
+        "id": "CVE-2024-3205",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3205",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1760": {
+    "id": "openEuler-SA-2023-1760",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1760",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39189)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39193)",
+    "cves": [
+      {
+        "id": "CVE-2023-39193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1314": {
+    "id": "openEuler-SA-2023-1314",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1314",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.(CVE-2023-32067)",
+    "cves": [
+      {
+        "id": "CVE-2023-32067",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1737": {
+    "id": "openEuler-SA-2022-1737",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1737",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIn addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068)",
+    "cves": [
+      {
+        "id": "CVE-2022-2068",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1225": {
+    "id": "openEuler-SA-2024-1225",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1225",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+    "cves": [
+      {
+        "id": "CVE-2024-0727",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1039": {
+    "id": "openEuler-SA-2021-1039",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1039",
+    "title": "An update for python-sqlalchemy is now available for openEuler-20.03-LTS",
+    "severity": "Critical",
+    "description": "SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. It contains a powerful mapping layer that users can choose to work as automatically or as manually, determining relationships based on foreign keys or to bridge the gap between database and domain by letting you define the join conditions explicitly.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nSQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.(CVE-2019-7164)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-7164",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7164",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1398": {
+    "id": "openEuler-SA-2021-1398",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1398",
+    "title": "An update for libarchive is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "libarchive is an open-source BSD-licensed C programming library that  provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution  also includes bsdtar and bsdcpio, full-featured implementations of  tar and cpio that use libarchive.\r\n\r\nSecurity Fix(es):\r\n\r\nlibarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).(CVE-2021-36976)",
+    "cves": [
+      {
+        "id": "CVE-2021-36976",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36976",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1870": {
+    "id": "openEuler-SA-2024-1870",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1870",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.(CVE-2024-6409)",
+    "cves": [
+      {
+        "id": "CVE-2024-6409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1602": {
+    "id": "openEuler-SA-2024-1602",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1602",
+    "title": "An update for giflib is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633)",
+    "cves": [
+      {
+        "id": "CVE-2021-40633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2112": {
+    "id": "openEuler-SA-2022-2112",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2112",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.(CVE-2022-39347)\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.(CVE-2022-39316)\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.(CVE-2022-39319)\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options `/drive`, `+drives` or `+home-drive`.(CVE-2022-41877)\r\n\r\nFreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.(CVE-2022-39318)",
+    "cves": [
+      {
+        "id": "CVE-2022-39318",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39318",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1937": {
+    "id": "openEuler-SA-2023-1937",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1937",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.\r\n\r\nSecurity Fix(es):\r\n\r\nThose using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40151)\r\n\r\nXStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.(CVE-2022-41966)",
+    "cves": [
+      {
+        "id": "CVE-2022-41966",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1280": {
+    "id": "openEuler-SA-2021-1280",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1280",
+    "title": "An update for rubygem-kramdown is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nThe kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.(CVE-2020-14001)",
+    "cves": [
+      {
+        "id": "CVE-2020-14001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14001",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2022": {
+    "id": "openEuler-SA-2022-2022",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2022",
+    "title": "An update for libX11 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The libX11-devel package contains libraries and header files for libX11.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in X.org libX11 and classified as problematic. This issue affects the function _XFreeX11XCBStructure of the file xcb_disp.c. The manipulation of the argument dpy leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211055.(CVE-2022-3555)\r\n\r\nA vulnerability has been found in X.org libX11 and classified as problematic. This vulnerability affects the function _XimRegisterIMInstantiateCallback of the file modules/im/ximcp/imsClbk.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211054 is the identifier assigned to this vulnerability.(CVE-2022-3554)",
+    "cves": [
+      {
+        "id": "CVE-2022-3554",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3554",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1488": {
+    "id": "openEuler-SA-2023-1488",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1488",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources. It supports dozens of protocol capture file formats and understands more than a thousand protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nKafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 allows denial of service via packet injection or crafted capture file(CVE-2023-3648)",
+    "cves": [
+      {
+        "id": "CVE-2023-3648",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3648",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1566": {
+    "id": "openEuler-SA-2024-1566",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1566",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: CT, Fix multiple allocations and memleak of mod acts\r\n\r\nCT clear action offload adds additional mod hdr actions to the\nflow's original mod actions in order to clear the registers which\nhold ct_state.\nWhen such flow also includes encap action, a neigh update event\ncan cause the driver to unoffload the flow and then reoffload it.\r\n\r\nEach time this happens, the ct clear handling adds that same set\nof mod hdr actions to reset ct_state until the max of mod hdr\nactions is reached.\r\n\r\nAlso the driver never releases the allocated mod hdr actions and\ncausing a memleak.\r\n\r\nFix above two issues by moving CT clear mod acts allocation\ninto the parsing actions phase and only use it when offloading the rule.\nThe release of mod acts will be done in the normal flow_put().\r\n\r\n backtrace:\n    [<000000007316e2f3>] krealloc+0x83/0xd0\n    [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core]\n    [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core]\n    [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core]\n    [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core]\n    [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core]\n    [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core]\n    [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core]\n    [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core]\n    [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core](CVE-2021-47199)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_ct: fix skb leak and crash on ooo frags\r\n\r\nact_ct adds skb->users before defragmentation. If frags arrive in order,\nthe last frag's reference is reset in:\r\n\r\n  inet_frag_reasm_prepare\n    skb_morph\r\n\r\nwhich is not straightforward.\r\n\r\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\r\n\r\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\r\n\r\n[0]:\n[  843.804823] ------------[ cut here ]------------\n[  843.809659] kernel BUG at net/core/skbuff.c:2091!\n[  843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[  843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[  843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[  843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[  843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[  843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[  843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[  843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[  843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[  843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[  843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[  843.871680] FS:  0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[  843.876242] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[  843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  843.894229] PKRU: 55555554\n[  843.898539] Call Trace:\n[  843.902772]  <IRQ>\n[  843.906922]  ? __die_body+0x1e/0x60\n[  843.911032]  ? die+0x3c/0x60\n[  843.915037]  ? do_trap+0xe2/0x110\n[  843.918911]  ? pskb_expand_head+0x2ac/0x300\n[  843.922687]  ? do_error_trap+0x65/0x80\n[  843.926342]  ? pskb_expand_head+0x2ac/0x300\n[  843.929905]  ? exc_invalid_op+0x50/0x60\n[  843.933398]  ? pskb_expand_head+0x2ac/0x300\n[  843.936835]  ? asm_exc_invalid_op+0x1a/0x20\n[  843.940226]  ? pskb_expand_head+0x2ac/0x300\n[  843.943580]  inet_frag_reasm_prepare+0xd1/0x240\n[  843.946904]  ip_defrag+0x5d4/0x870\n[  843.950132]  nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[  843.953334]  tcf_ct_act+0x252/0xd90 [act_ct]\n[  843.956473]  ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[  843.959657]  tcf_action_exec+0xa1/0x160\n[  843.962823]  fl_classify+0x1db/0x1f0 [cls_flower]\n[  843.966010]  ? skb_clone+0x53/0xc0\n[  843.969173]  tcf_classify+0x24d/0x420\n[  843.972333]  tc_run+0x8f/0xf0\n[  843.975465]  __netif_receive_skb_core+0x67a/0x1080\n[  843.978634]  ? dev_gro_receive+0x249/0x730\n[  843.981759]  __netif_receive_skb_list_core+0x12d/0x260\n[  843.984869]  netif_receive_skb_list_internal+0x1cb/0x2f0\n[  843.987957]  ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[  843.991170]  napi_complete_done+0x72/0x1a0\n[  843.994305]  mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[  843.997501]  __napi_poll+0x25/0x1b0\n[  844.000627]  net_rx_action+0x256/0x330\n[  844.003705]  __do_softirq+0xb3/0x29b\n[  844.006718]  irq_exit_rcu+0x9e/0xc0\n[  844.009672]  common_interrupt+0x86/0xa0\n[  844.012537]  </IRQ>\n[  844.015285]  <TASK>\n[  844.017937]  asm_common_interrupt+0x26/0x40\n[  844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[  844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---(CVE-2023-52610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\r\n\r\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.(CVE-2023-52616)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock/rnbd-srv: Check for unlikely string overflow\r\n\r\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\r\n\r\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                                                   ^~\nIn function 'rnbd_srv_get_full_path',\n    inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n  617 |                          dev_search_path, dev_name);\n      |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).(CVE-2023-52618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet's remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page->mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nl2tp: pass correct message length to ip6_append_data\r\n\r\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\r\n\r\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\r\n\r\nHowever, the code which performed the calculation was incorrect:\r\n\r\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\r\n\r\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\r\n\r\nAdd parentheses to correct the calculation in line with the original\nintent.(CVE-2024-26752)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\r\n\r\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\r\n\r\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990]  <TASK>\n[ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978]  dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347]  __sys_sendmsg+0x59/0xa0\r\n\r\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n  txreq = {\n    list = {\n      next = 0xffff9cfeba229f00,\n      prev = 0xffff9cfeba229f00\n    },\n    descp = 0xffff9cfeba229f40,\n    coalesce_buf = 0x0,\n    wait = 0xffff9cfea4e69a48,\n    complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,\n    packet_len = 0x46d,\n    tlen = 0x0,\n    num_desc = 0x0,\n    desc_limit = 0x6,\n    next_descq_idx = 0x45c,\n    coalesce_idx = 0x0,\n    flags = 0x0,\n    descs = {{\n        qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n      }, {\n        qw = {  0x3800014231b108, 0x4}\n      }, {\n        qw = { 0x310000e4ee0fcf0, 0x8}\n      }, {\n        qw = {  0x3000012e9f8000, 0x8}\n      }, {\n        qw = {  0x59000dfb9d0000, 0x8}\n      }, {\n        qw = {  0x78000e02e40000, 0x8}\n      }}\n  },\n  sdma_hdr =  0x400300015528b000,  <<< invalid pointer in the tx request structure\n  sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n  complete = 0x0,\n  priv = 0x0,\n  txq = 0xffff9cfea4e69880,\n  skb = 0xffff9d099809f400\n}\r\n\r\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\r\n\r\nWith this patch the crashes are no longer reproducible and the machine is\nstable.(CVE-2024-26766)",
+    "cves": [
+      {
+        "id": "CVE-2024-26766",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26766",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2076": {
+    "id": "openEuler-SA-2022-2076",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2076",
+    "title": "An update for mysql-connector-java is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "MySQL Connector/J is a native Java driver that converts JDBC (Java Database Connectivity) calls into the network protocol used by the MySQL database. It lets developers working with the Java programming language easily build programs and applets that interact with MySQL and connect all corporate data, even in a heterogeneous environment. MySQL Connector/J is a Type IV JDBC driver and has a complete JDBC feature set that supports the capabilities of MySQL.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2019-2692)",
+    "cves": [
+      {
+        "id": "CVE-2019-2692",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2692",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1767": {
+    "id": "openEuler-SA-2022-1767",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1767",
+    "title": "An update for bison is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Bison is a general-purpose parser generator that converts an annotated context-free grammar into a deterministic LR or generalized LR (GLR) parser employing LALR(1) parser tables. As an experimental feature, Bison can also generate IELR(1) or canonical LR(1) parser tables. Once you are proficient with Bison, you can use it to develop a wide range of language parsers, from those used in simple desk calculators to complex programming languages.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.(CVE-2020-24240)",
+    "cves": [
+      {
+        "id": "CVE-2020-24240",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24240",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1411": {
+    "id": "openEuler-SA-2024-1411",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1411",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.(CVE-2023-45675)",
+    "cves": [
+      {
+        "id": "CVE-2023-45675",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45675",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1711": {
+    "id": "openEuler-SA-2024-1711",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1711",
+    "title": "An update for mariadb is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22084)",
+    "cves": [
+      {
+        "id": "CVE-2023-22084",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22084",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1228": {
+    "id": "openEuler-SA-2021-1228",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1228",
+    "title": "An update for xdg-utils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The xdg-utils package is a set of simple scripts that provide basic desktop integration functions for any Free Desktop, such as Linux. The following tools are included in xdg-utils: * xdg-desktop-menu      Install desktop menu items * xdg-desktop-icon      Install icons to the desktop * xdg-icon-resource     Install icon resources * xdg-mime              Query information about file type handling and                         install descriptions for new file types * xdg-open              Open a file or URL in the user's preferred application * xdg-email             Send mail using the user's preferred e-mail composer * xdg-screensaver       Control the screensaver\n\nSecurity Fix(es):\n\nA flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.(CVE-2020-27748)",
+    "cves": [
+      {
+        "id": "CVE-2020-27748",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27748",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1015": {
+    "id": "openEuler-SA-2023-1015",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1015",
+    "title": "An update for ppp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Point-to-Point Protocol (PPP) provides a standard way to establish a network connection over a serial link.  At present, this package supports IP and IPV6 and the protocols layered above them, such as TCP and UDP.  The Linux port of this package also has support for IPX.\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario.(CVE-2022-4603)",
+    "cves": [
+      {
+        "id": "CVE-2022-4603",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4603",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1725": {
+    "id": "openEuler-SA-2024-1725",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1725",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nMONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file(CVE-2024-4854)",
+    "cves": [
+      {
+        "id": "CVE-2024-4854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4854",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1671": {
+    "id": "openEuler-SA-2024-1671",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1671",
+    "title": "An update for runc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.(CVE-2024-3154)",
+    "cves": [
+      {
+        "id": "CVE-2024-3154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3154",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1821": {
+    "id": "openEuler-SA-2023-1821",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1821",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays.  Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\r\n\r\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\r\n\r\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\r\n\r\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\r\n\r\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions.  An application calling any of those other\nfunctions may similarly be affected.  The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\r\n\r\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\r\n\r\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\r\n\r\n(CVE-2023-5678)",
+    "cves": [
+      {
+        "id": "CVE-2023-5678",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1870": {
+    "id": "openEuler-SA-2022-1870",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1870",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.(CVE-2022-31107)",
+    "cves": [
+      {
+        "id": "CVE-2022-31107",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31107",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1712": {
+    "id": "openEuler-SA-2022-1712",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1712",
+    "title": "An update for python-bottle is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Bottle is a fast, simple and lightweight WSGI micro web-framework for Python. It is distributed as a single file module and has no dependencies other than the Python Standard Library.\r\n\r\nSecurity Fix(es):\r\n\r\nBottle before 0.12.20 mishandles errors during early request binding.(CVE-2022-31799)",
+    "cves": [
+      {
+        "id": "CVE-2022-31799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31799",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1545": {
+    "id": "openEuler-SA-2022-1545",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1545",
+    "title": "An update for xmlrpc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Apache XML-RPC was previously known as Helma XML-RPC. If you have code using the Helma library, all you should have to do is change the import statements in your code from helma.xmlrpc.* to org.apache.xmlrpc.*.\r\n\r\nSecurity Fix(es):\r\n\r\nAn untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.(CVE-2019-17570)",
+    "cves": [
+      {
+        "id": "CVE-2019-17570",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17570",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1608": {
+    "id": "openEuler-SA-2022-1608",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1608",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.(CVE-2022-0943)",
+    "cves": [
+      {
+        "id": "CVE-2022-0943",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0943",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1876": {
+    "id": "openEuler-SA-2023-1876",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1876",
+    "title": "An update for vim is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48231)\r\n\r\nVim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48233)\r\n\r\nVim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48234)\r\n\r\nVim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48235)\r\n\r\nVim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48236)\r\n\r\nVim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48237)",
+    "cves": [
+      {
+        "id": "CVE-2023-48237",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1573": {
+    "id": "openEuler-SA-2022-1573",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1573",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.(CVE-2022-0714)\r\n\r\nUse of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.(CVE-2022-0729)",
+    "cves": [
+      {
+        "id": "CVE-2022-0729",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0729",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1025": {
+    "id": "openEuler-SA-2024-1025",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1025",
+    "title": "An update for metadata-extractor2 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Metadata Extractor is a straightforward Java library for reading metadata from image files.\r\n\r\nSecurity Fix(es):\r\n\r\nmetadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24613)\r\n\r\nWhen reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24614)",
+    "cves": [
+      {
+        "id": "CVE-2022-24614",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24614",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1598": {
+    "id": "openEuler-SA-2022-1598",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1598",
+    "title": "An update for postgresql-13 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system.  These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection.  The PostgreSQL server can be found in the postgresql-server sub-package.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.(CVE-2021-23214)\r\n\r\nA man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.(CVE-2021-23222)",
+    "cves": [
+      {
+        "id": "CVE-2021-23222",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23222",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1388": {
+    "id": "openEuler-SA-2023-1388",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1388",
+    "title": "An update for iniparser is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This modules offers parsing of ini files from the C level. See a complete documentation in HTML format, from this directory open the file html/index.html with any HTML-capable browser.\r\n\r\nSecurity Fix(es):\r\n\r\niniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.(CVE-2023-33461)",
+    "cves": [
+      {
+        "id": "CVE-2023-33461",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33461",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1798": {
+    "id": "openEuler-SA-2022-1798",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1798",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es): \r\n\r\nA flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP add or modify the request, usually resulting in a segmentation fault.(CVE-2022-32745)\n\nA flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.(CVE-2022-32746)\n\nA flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).(CVE-2022-32742)\n\nA flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users passwords, enabling full domain takeover.(CVE-2022-32744)\n\nAs per samba upstream advisory:All versions of Samba prior to 4.16.x built with Heimdal Kerberos are vulnerable to an Elevation of Privilege attack. If the password of a user expires and need to be changed, a user could get a krbtgt using kpasswd with canonicalization turned on. The KDC should only provide a ticket for kadmin/changepw but returns a krbtgt. So a user could skip the password change and just use the krbtgt to get service tickets and use services in the forest.(CVE-2022-2031)",
+    "cves": [
+      {
+        "id": "CVE-2022-2031",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2031",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1623": {
+    "id": "openEuler-SA-2022-1623",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1623",
+    "title": "An update for varnish is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections(CVE-2022-23959)",
+    "cves": [
+      {
+        "id": "CVE-2022-23959",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23959",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1653": {
+    "id": "openEuler-SA-2023-1653",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1653",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.1840.(CVE-2023-4733)\r\n\r\nInteger Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.(CVE-2023-4734)\r\n\r\nOut-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.(CVE-2023-4735)\r\n\r\nUntrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.(CVE-2023-4736)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.(CVE-2023-4738)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.1857.(CVE-2023-4750)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.1858.(CVE-2023-4752)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.(CVE-2023-4781)",
+    "cves": [
+      {
+        "id": "CVE-2023-4781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4781",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1339": {
+    "id": "openEuler-SA-2023-1339",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1339",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)",
+    "cves": [
+      {
+        "id": "CVE-2023-31147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1783": {
+    "id": "openEuler-SA-2024-1783",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1783",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().(CVE-2024-6387)",
+    "cves": [
+      {
+        "id": "CVE-2024-6387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6387",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1446": {
+    "id": "openEuler-SA-2021-1446",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1446",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "A suite for Linux to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nSamba may map domain users to local users in an undesired way..(CVE-2020-25717)",
+    "cves": [
+      {
+        "id": "CVE-2020-25717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25717",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1161": {
+    "id": "openEuler-SA-2021-1161",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1161",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package    help Summary:          Documents for %{name} Buildarch:        noarch Requires:         man info Provides:         %{name}-javadoc = %{version}-%{release} Obsoletes:        %{name}-javadoc < %{version}-%{release} %description help Man pages and other related documents for %{name}.\r\n\r\nSecurity Fix(es):\r\n\r\nNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is True: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.(CVE-2021-21295)\r\n\r\nNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to True. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.(CVE-2021-21409)",
+    "cves": [
+      {
+        "id": "CVE-2021-21409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1093": {
+    "id": "openEuler-SA-2021-1093",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1093",
+    "title": "An update for redis is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open-source, in-memory database that persists on disk. In affected versions of Redis an integer overflow bug in 32-bit Redis version 4.0 or newer could be exploited to corrupt the heap and potentially result with remote code execution. Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption. We believe this could in certain conditions be exploited for remote code execution. By default, authenticated Redis users have access to all configuration parameters and can therefore use the “CONFIG SET proto-max-bulk-len” to change the safe default, making the system vulnerable. **This problem only affects 32-bit Redis (on a 32-bit system, or as a 32-bit executable running on a 64-bit system).** The problem is fixed in version 6.2, and the fix is back ported to 6.0.11 and 5.0.11. Make sure you use one of these versions if you are running 32-bit Redis. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent clients from directly executing `CONFIG SET`: Using Redis 6.0 or newer, ACL configuration can be used to block the command. Using older versions, the `rename-command` configuration directive can be used to rename the command to a random string unknown to users, rendering it inaccessible. Please note that this workaround may have an additional impact on users or operational systems that expect `CONFIG SET` to behave in certain ways.(CVE-2021-21309)",
+    "cves": [
+      {
+        "id": "CVE-2021-21309",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21309",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1714": {
+    "id": "openEuler-SA-2024-1714",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1714",
+    "title": "An update for grub2 is now available for openEuler-24.03-LTS",
+    "severity": "Critical",
+    "description": "GNU GRUB is a Multiboot boot loader. It was derived from GRUB, the GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.(CVE-2021-46848)",
+    "cves": [
+      {
+        "id": "CVE-2021-46848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46848",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1528": {
+    "id": "openEuler-SA-2022-1528",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1528",
+    "title": "An update for ceph is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "User space components of the Ceph file system.\r\n\r\nSecurity Fix(es):\r\n\r\nThe key length for encrypted devices created using ceph-volume is incorrect. This is due to a bug in ceph_volume/util/encryption.py, where upon writing a key using osd_dmcrypt_key_size it does not pass the key size to the format and open operations following. The default key is then applied in cryptsetup. All versions since Luminous are assumed affected.(CVE-2021-3979)",
+    "cves": [
+      {
+        "id": "CVE-2021-3979",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3979",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2013": {
+    "id": "openEuler-SA-2022-2013",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2013",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel(CVE-2022-20421)\r\n\r\nIn emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel(CVE-2022-20422)\n\nmm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.(CVE-2022-42703)\n\nroccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.(CVE-2022-41850)",
+    "cves": [
+      {
+        "id": "CVE-2022-41850",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41850",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1083": {
+    "id": "openEuler-SA-2024-1083",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1083",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer (\"skb\"). This flaw allows a local user to cause a denial of service condition or potential code execution.(CVE-2023-51779)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.(CVE-2023-51780)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.(CVE-2023-51781)",
+    "cves": [
+      {
+        "id": "CVE-2023-51781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51781",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1408": {
+    "id": "openEuler-SA-2024-1408",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1408",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1803": {
+    "id": "openEuler-SA-2022-1803",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1803",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.(CVE-2022-25255)",
+    "cves": [
+      {
+        "id": "CVE-2022-25255",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1642": {
+    "id": "openEuler-SA-2022-1642",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1642",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.(CVE-2022-28346)\nA SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.(CVE-2022-28347)",
+    "cves": [
+      {
+        "id": "CVE-2022-28347",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28347",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1760": {
+    "id": "openEuler-SA-2024-1760",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1760",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.(CVE-2022-3341)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate.(CVE-2023-51798)",
+    "cves": [
+      {
+        "id": "CVE-2023-51798",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51798",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1466": {
+    "id": "openEuler-SA-2024-1466",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1466",
+    "title": "An update for docker is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\r\n\r\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\r\n\r\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\r\n\r\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\r\n\r\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\r\n\r\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\r\n\r\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\r\n\r\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\r\n\r\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\r\n\r\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)",
+    "cves": [
+      {
+        "id": "CVE-2024-29018",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1153": {
+    "id": "openEuler-SA-2023-1153",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1153",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.(CVE-2023-26607)",
+    "cves": [
+      {
+        "id": "CVE-2023-26607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1702": {
+    "id": "openEuler-SA-2022-1702",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1702",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\n\nSecurity Fix(es):\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2022-21449)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2022-21476)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21443)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21426)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21496)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21434)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).(CVE-2021-35567)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35586)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35559)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2021-35564)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35603)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35561)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35578)\n\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35556)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21299)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21365)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21341)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21366)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21360)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21340)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21305)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21296)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21294)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21293)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21291)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21283)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21282)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21277)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21248)\n\nVulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).(CVE-2021-2163)\n\nVulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-2161)",
+    "cves": [
+      {
+        "id": "CVE-2021-2161",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2161",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2080": {
+    "id": "openEuler-SA-2022-2080",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2080",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The outputcan be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libxml2. Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow because safety checks were missing in some functions. Also, the xmlParseEntityValue function didn't have any length limitation.(CVE-2022-40303)\r\n\r\nA flaw was found in libxml2. When a reference cycle is detected in the XML entity cleanup function the XML entity data can be stored in a dictionary. In this case, the dictionary becomes corrupted resulting in logic errors, including memory errors like double free.(CVE-2022-40304)",
+    "cves": [
+      {
+        "id": "CVE-2022-40304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1804": {
+    "id": "openEuler-SA-2023-1804",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1804",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\r\n\r\n(CVE-2023-31122)\r\n\r\nWhen a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n(CVE-2023-45802)",
+    "cves": [
+      {
+        "id": "CVE-2023-45802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45802",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1018": {
+    "id": "openEuler-SA-2024-1018",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1018",
+    "title": "An update for libsass is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Libsass is a Sass CSS precompiler which is ported for C/C++. This version is more efficient and portable than the original Ruby version. Keeping light and sample is its degisn philosophy which makes it more easier to be built and integrated with a immense amount of platforms and languages. Installation of saccs is needed if you want to run is directly as libsass is just a library.\r\n\r\nSecurity Fix(es):\r\n\r\nStack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function.(CVE-2022-26592)\r\n\r\nStack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.(CVE-2022-43357)\r\n\r\nStack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).(CVE-2022-43358)",
+    "cves": [
+      {
+        "id": "CVE-2022-43358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1464": {
+    "id": "openEuler-SA-2021-1464",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1464",
+    "title": "An update for mod_security is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.(CVE-2021-42717)",
+    "cves": [
+      {
+        "id": "CVE-2021-42717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42717",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1607": {
+    "id": "openEuler-SA-2024-1607",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1607",
+    "title": "An update for ruby is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.(CVE-2024-27282)",
+    "cves": [
+      {
+        "id": "CVE-2024-27282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27282",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1054": {
+    "id": "openEuler-SA-2023-1054",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1054",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.(CVE-2023-23559)\n\nNo description is available for this CVE.(CVE-2023-0047)",
+    "cves": [
+      {
+        "id": "CVE-2023-0047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0047",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1372": {
+    "id": "openEuler-SA-2021-1372",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1372",
+    "title": "An update for cloud-init is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Cloud-init is the defacto multi-distribution package that handles early initialization of a cloud instance.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2021-3429)",
+    "cves": [
+      {
+        "id": "CVE-2021-3429",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3429",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1010": {
+    "id": "openEuler-SA-2021-1010",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1010",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nA flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14339)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-14339",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14339",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1061": {
+    "id": "openEuler-SA-2024-1061",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1061",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1051": {
+    "id": "openEuler-SA-2023-1051",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1051",
+    "title": "An update for batik is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.(CVE-2022-41704)\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.(CVE-2022-42890)",
+    "cves": [
+      {
+        "id": "CVE-2022-42890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1706": {
+    "id": "openEuler-SA-2024-1706",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1706",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\r\n\r\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\r\n\r\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260]  dump_stack+0xbb/0x107\n [23827.477906]  print_address_description.constprop.0+0x18/0x140\n [23827.478896]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905]  kasan_report.cold+0x7c/0xd8\n [23827.481701]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744]  kasan_check_range+0x145/0x1a0\n [23827.493112]  mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054]  ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296]  mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338]  ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486]  ? read_word_at_a_time+0xe/0x20\n [23827.498250]  ? strscpy+0xa0/0x2a0\n [23827.498889]  process_one_work+0x8ac/0x14e0\n [23827.499638]  ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359]  ? rwlock_bug.part.0+0x90/0x90\n [23827.502116]  worker_thread+0x53b/0x1220\n [23827.502831]  ? process_one_work+0x14e0/0x14e0\n [23827.503627]  kthread+0x328/0x3f0\n [23827.504254]  ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065]  ? __kthread_bind_mask+0x90/0x90\n [23827.505912]  ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694]  kasan_save_stack+0x1b/0x40\n [23827.508476]  __kasan_kmalloc+0x7c/0x90\n [23827.509197]  mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194]  mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218]  __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234]  mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298]  tc_setup_cb_add+0x1d5/0x420\n [23827.514023]  fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975]  fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821]  tc_new_tfilter+0x89a/0x2070\n [23827.516548]  rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300]  netlink_rcv_skb+0x11d/0x340\n [23827.518021]  netlink_unicast+0x42b/0x700\n [23827.518742]  netlink_sendmsg+0x743/0xc20\n [23827.519467]  sock_sendmsg+0xb2/0xe0\n [23827.520131]  ____sys_sendmsg+0x590/0x770\n [23827.520851]  ___sys_sendmsg+0xd8/0x160\n [23827.521552]  __sys_sendmsg+0xb7/0x140\n [23827.522238]  do_syscall_64+0x3a/0x70\n [23827.522907]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780]  kasan_save_stack+0x1b/0x40\n [23827.525488]  kasan_set_track+0x1c/0x30\n [23827.526187]  kasan_set_free_info+0x20/0x30\n [23827.526968]  __kasan_slab_free+0xed/0x130\n [23827.527709]  slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528]  kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317]  kfree_rcu_work+0x55f/0xb70\n [23827.530024]  process_one_work+0x8ac/0x14e0\n [23827.530770]  worker_thread+0x53b/0x1220\n [23827.531480]  kthread+0x328/0x3f0\n [23827.532114]  ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007]  kasan_save_stack+0x1b/0x40\n [23827.534710]  kasan_record_aux_stack+0xab/0xc0\n [23827.535492]  kvfree_call_rcu+0x31/0x7b0\n [23827.536206]  mlx5e_tc_del\n---truncated---(CVE-2021-47247)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA: Verify port when creating flow rule\r\n\r\nValidate port value provided by the user and with that remove no longer\nneeded validation by the driver.  The missing check in the mlx5_ib driver\ncould cause to the below oops.\r\n\r\nCall trace:\n  _create_flow_rule+0x2d4/0xf28 [mlx5_ib]\n  mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib]\n  ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs]\n  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs]\n  ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs]\n  ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs]\n  do_vfs_ioctl+0xd0/0xaf0\n  ksys_ioctl+0x84/0xb4\n  __arm64_sys_ioctl+0x28/0xc4\n  el0_svc_common.constprop.3+0xa4/0x254\n  el0_svc_handler+0x84/0xa0\n  el0_svc+0x10/0x26c\n Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a)(CVE-2021-47265)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmISDN: fix possible use-after-free in HFC_cleanup()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: stmmac: Disable Tx queues when reconfiguring the interface\r\n\r\nThe Tx queues were not disabled in situations where the driver needed to\nstop the interface to apply a new configuration. This could result in a\nkernel panic when doing any of the 3 following actions:\n* reconfiguring the number of queues (ethtool -L)\n* reconfiguring the size of the ring buffers (ethtool -G)\n* installing/removing an XDP program (ip l set dev ethX xdp)\r\n\r\nPrevent the panic by making sure netif_tx_disable is called when stopping\nan interface.\r\n\r\nWithout this patch, the following kernel panic can be observed when doing\nany of the actions above:\r\n\r\nUnable to handle kernel paging request at virtual address ffff80001238d040\n[....]\n Call trace:\n  dwmac4_set_addr+0x8/0x10\n  dev_hard_start_xmit+0xe4/0x1ac\n  sch_direct_xmit+0xe8/0x39c\n  __dev_queue_xmit+0x3ec/0xaf0\n  dev_queue_xmit+0x14/0x20\n[...]\n[ end trace 0000000000000002 ]---(CVE-2021-47558)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nice: Fix crash by keep old cfg when update TCs more than queues\r\n\r\nThere are problems if allocated queues less than Traffic Classes.\r\n\r\nCommit a632b2a4c920 (\"ice: ethtool: Prohibit improper channel config\nfor DCB\") already disallow setting less queues than TCs.\r\n\r\nAnother case is if we first set less queues, and later update more TCs\nconfig due to LLDP, ice_vsi_cfg_tc() will failed but left dirty\nnum_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.\r\n\r\n[   95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.\n[   95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!\n[   95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0\n[   95.969621] general protection fault: 0000 [#1] SMP NOPTI\n[   95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G     U  W  O     --------- -t - 4.18.0 #1\n[   95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021\n[   95.969992] RIP: 0010:devm_kmalloc+0xa/0x60\n[   95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c\n[   95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206\n[   95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0\n[   95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200\n[   95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000\n[   95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100\n[   95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460\n[   95.970981] FS:  00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000\n[   95.971108] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0\n[   95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[   95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[   95.971530] PKRU: 55555554\n[   95.971573] Call Trace:\n[   95.971622]  ice_setup_rx_ring+0x39/0x110 [ice]\n[   95.971695]  ice_vsi_setup_rx_rings+0x54/0x90 [ice]\n[   95.971774]  ice_vsi_open+0x25/0x120 [ice]\n[   95.971843]  ice_open_internal+0xb8/0x1f0 [ice]\n[   95.971919]  ice_ena_vsi+0x4f/0xd0 [ice]\n[   95.971987]  ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]\n[   95.972082]  ice_pf_dcb_cfg+0x29a/0x380 [ice]\n[   95.972154]  ice_dcbnl_setets+0x174/0x1b0 [ice]\n[   95.972220]  dcbnl_ieee_set+0x89/0x230\n[   95.972279]  ? dcbnl_ieee_del+0x150/0x150\n[   95.972341]  dcb_doit+0x124/0x1b0\n[   95.972392]  rtnetlink_rcv_msg+0x243/0x2f0\n[   95.972457]  ? dcb_doit+0x14d/0x1b0\n[   95.972510]  ? __kmalloc_node_track_caller+0x1d3/0x280\n[   95.972591]  ? rtnl_calcit.isra.31+0x100/0x100\n[   95.972661]  netlink_rcv_skb+0xcf/0xf0\n[   95.972720]  netlink_unicast+0x16d/0x220\n[   95.972781]  netlink_sendmsg+0x2ba/0x3a0\n[   95.975891]  sock_sendmsg+0x4c/0x50\n[   95.979032]  ___sys_sendmsg+0x2e4/0x300\n[   95.982147]  ? kmem_cache_alloc+0x13e/0x190\n[   95.985242]  ? __wake_up_common_lock+0x79/0x90\n[   95.988338]  ? __check_object_size+0xac/0x1b0\n[   95.991440]  ? _copy_to_user+0x22/0x30\n[   95.994539]  ? move_addr_to_user+0xbb/0xd0\n[   95.997619]  ? __sys_sendmsg+0x53/0x80\n[   96.000664]  __sys_sendmsg+0x53/0x80\n[   96.003747]  do_syscall_64+0x5b/0x1d0\n[   96.006862]  entry_SYSCALL_64_after_hwframe+0x65/0xca\r\n\r\nOnly update num_txq/rxq when passed check, and restore tc_cfg if setup\nqueue map failed.(CVE-2022-48652)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naio: fix mremap after fork null-deref\r\n\r\nCommit e4a0d3e720e7 (\"aio: Make it possible to remap aio ring\") introduced\na null-deref if mremap is called on an old aio mapping after fork as\nmm->ioctx_table will be set to NULL.\r\n\r\n[jmoyer@redhat.com: fix 80 column issue](CVE-2023-52646)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nriscv: Check if the code to patch lies in the exit section\r\n\r\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.(CVE-2023-52677)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: scarlett2: Add missing error checks to *_ctl_get()\r\n\r\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.(CVE-2023-52680)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check in opal_event_init()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: fix possible memory leak in ovs_meter_cmd_set()\r\n\r\nold_meter needs to be free after it is detached regardless of whether\nthe new meter is successfully attached.(CVE-2023-52702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix underflow in second superblock position calculations\r\n\r\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes.  Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\r\n\r\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\r\n\r\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\r\n\r\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks.  This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\r\n\r\n INFO: task segctord:5067 blocked for more than 143 seconds.\n      Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord        state:D stack:23456 pid:5067  ppid:2\n flags:0x00004000\n Call Trace:\n  <TASK>\n  context_switch kernel/sched/core.c:5293 [inline]\n  __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n  schedule+0xc3/0x190 kernel/sched/core.c:6682\n  rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n  nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n  nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n  kthread+0x270/0x300 kernel/kthread.c:376\n  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n  </TASK>\n ...\n Call Trace:\n  <TASK>\n  folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n  __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n  nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n  nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n  nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n  nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n  nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n  nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n  nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n  nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n  nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n  nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n  ...\r\n\r\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.(CVE-2023-52705)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/IPoIB: Fix legacy IPoIB due to wrong number of queues\r\n\r\nThe cited commit creates child PKEY interfaces over netlink will\nmultiple tx and rx queues, but some devices doesn't support more than 1\ntx and 1 rx queues. This causes to a crash when traffic is sent over the\nPKEY interface due to the parent having a single queue but the child\nhaving multiple queues.\r\n\r\nThis patch fixes the number of queues to 1 for legacy IPoIB at the\nearliest possible point in time.\r\n\r\nBUG: kernel NULL pointer dereference, address: 000000000000036b\nPGD 0 P4D 0\nOops: 0000 [#1] SMP\nCPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:kmem_cache_alloc+0xcb/0x450\nCode: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a\n01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b\nRSP: 0018:ffff88822acbbab8 EFLAGS: 00010202\nRAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae\nRDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00\nRBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40\nR10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000\nR13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000\nFS:  00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n skb_clone+0x55/0xd0\n ip6_finish_output2+0x3fe/0x690\n ip6_finish_output+0xfa/0x310\n ip6_send_skb+0x1e/0x60\n udp_v6_send_skb+0x1e5/0x420\n udpv6_sendmsg+0xb3c/0xe60\n ? ip_mc_finish_output+0x180/0x180\n ? __switch_to_asm+0x3a/0x60\n ? __switch_to_asm+0x34/0x60\n sock_sendmsg+0x33/0x40\n __sys_sendto+0x103/0x160\n ? _copy_to_user+0x21/0x30\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_ts64+0x49/0xe0\n __x64_sys_sendto+0x25/0x30\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f9374f1ed14\nCode: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b\n7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b\nRSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14\nRDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030\nRBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc\n </TASK>(CVE-2023-52745)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()\r\n\r\n  int type = nla_type(nla);\r\n\r\n  if (type > XFRMA_MAX) {\n            return -EOPNOTSUPP;\n  }\r\n\r\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\r\n\r\n  if (nla_len(nla) < compat_policy[type].len) {\r\n\r\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.(CVE-2023-52746)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Avoid NULL dereference of timing generator\r\n\r\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.(CVE-2023-52753)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: avoid data corruption caused by decline\r\n\r\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\r\n\r\nThe benchmark has a low probability of reporting a strange error as\nshown below.\r\n\r\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\r\n\r\nFinally, we found that the retrieved error data was as follows:\r\n\r\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\r\n\r\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\r\n\r\nclient                  server\n        ¦  clc proposal\n        ------------->\n        ¦  clc accept\n        <-------------\n        ¦  clc confirm\n        ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n        ¦failed llc confirm\n        ¦   x------\n(after 2s)timeout\n                        wait llc confirm rsp\r\n\r\nwait decline\r\n\r\n(after 1s) timeout\n                        (after 2s) timeout\n        ¦   decline\n        -------------->\n        ¦   decline\n        <--------------\r\n\r\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\r\n\r\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\r\n\r\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.(CVE-2023-52775)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipvlan: add ipvlan_route_v6_outbound() helper\r\n\r\nInspired by syzbot reports using a stack of multiple ipvlan devices.\r\n\r\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\r\n\r\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\r\n\r\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\r\n\r\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n</#DF>\n<TASK>\n[<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline]\n[<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline]\n[<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]\n[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]\n[<f\n---truncated---(CVE-2023-52796)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath11k: fix dfs radar event locking\r\n\r\nThe ath11k active pdevs are protected by RCU but the DFS radar event\nhandling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\r\n\r\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\r\n\r\nCompile tested only.(CVE-2023-52798)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbFindLeaf\r\n\r\nCurrently while searching for dmtree_t for sufficient free blocks there\nis an array out of bounds while getting element in tp->dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.(CVE-2023-52799)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath11k: fix htt pktlog locking\r\n\r\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\r\n\r\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\r\n\r\nCompile tested only.(CVE-2023-52800)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\r\n\r\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\r\n\r\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\r\n\r\nThis error can be catched by KASAN:\n=========================================================\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[  250.500549] Workqueue: events rpc_free_client_work\n[  250.501001] Call Trace:\n[  250.502880]  kasan_report+0xb6/0xf0\n[  250.503209]  ? dget_parent+0x195/0x200\n[  250.503561]  dget_parent+0x195/0x200\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\n[  250.505195]  rpc_free_client_work+0xe4/0x230\n[  250.505598]  process_one_work+0x8ee/0x13b0\n...\n[   22.039056] Allocated by task 244:\n[   22.039390]  kasan_save_stack+0x22/0x50\n[   22.039758]  kasan_set_track+0x25/0x30\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\n[   22.040889]  __d_alloc+0x31/0x8e0\n[   22.041207]  d_alloc+0x44/0x1f0\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\n[   22.042459]  rpc_create_client_dir+0x34/0x150\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\n[   22.043284]  rpc_client_register+0x136/0x4e0\n[   22.043689]  rpc_new_client+0x911/0x1020\n[   22.044057]  rpc_create_xprt+0xcb/0x370\n[   22.044417]  rpc_create+0x36b/0x6c0\n...\n[   22.049524] Freed by task 0:\n[   22.049803]  kasan_save_stack+0x22/0x50\n[   22.050165]  kasan_set_track+0x25/0x30\n[   22.050520]  kasan_save_free_info+0x2b/0x50\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\n[   22.051306]  kmem_cache_free+0xa5/0x390\n[   22.051667]  rcu_core+0x62c/0x1930\n[   22.051995]  __do_softirq+0x165/0x52a\n[   22.052347]\n[   22.052503] Last potentially related work creation:\n[   22.052952]  kasan_save_stack+0x22/0x50\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\n[   22.054209]  dentry_free+0xb2/0x140\n[   22.054540]  __dentry_kill+0x3be/0x540\n[   22.054900]  shrink_dentry_list+0x199/0x510\n[   22.055293]  shrink_dcache_parent+0x190/0x240\n[   22.055703]  do_one_tree+0x11/0x40\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\n[   22.056461]  generic_shutdown_super+0x70/0x590\n[   22.056879]  kill_anon_super+0x3a/0x60\n[   22.057234]  rpc_kill_sb+0x121/0x200(CVE-2023-52803)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hns3: fix out-of-bounds access may occur when coalesce info is read via debugfs\r\n\r\nThe hns3 driver define an array of string to show the coalesce\ninfo, but if the kernel adds a new mode or a new state,\nout-of-bounds access may occur when coalesce info is read via\ndebugfs, this patch fix the problem.(CVE-2023-52807)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxen-netfront: Add missing skb_mark_for_recycle\r\n\r\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\r\n\r\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\r\n\r\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").(CVE-2024-27393)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\r\n\r\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\r\n\r\n[  472.074580] ==================================================================\n[  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[  472.075308]\n[  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.075308] Workqueue: events l2cap_chan_timeout\n[  472.075308] Call Trace:\n[  472.075308]  <TASK>\n[  472.075308]  dump_stack_lvl+0x137/0x1a0\n[  472.075308]  print_report+0x101/0x250\n[  472.075308]  ? __virt_addr_valid+0x77/0x160\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_report+0x139/0x170\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_check_range+0x2c3/0x2e0\n[  472.075308]  mutex_lock+0x68/0xc0\n[  472.075308]  l2cap_chan_timeout+0x181/0x300\n[  472.075308]  process_one_work+0x5d2/0xe00\n[  472.075308]  worker_thread+0xe1d/0x1660\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  kthread+0x2b7/0x350\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork+0x4d/0x80\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork_asm+0x11/0x20\n[  472.075308]  </TASK>\n[  472.075308] ==================================================================\n[  472.094860] Disabling lock debugging due to kernel taint\n[  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[  472.096136] #PF: supervisor write access in kernel mode\n[  472.096136] #PF: error_code(0x0002) - not-present page\n[  472.096136] PGD 0 P4D 0\n[  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36\n[  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.096136] Workqueue: events l2cap_chan_timeout\n[  472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[  472.096136] Call Trace:\n[  472.096136]  <TASK>\n[  472.096136]  ? __die_body+0x8d/0xe0\n[  472.096136]  ? page_fault_oops+0x6b8/0x9a0\n[  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[  472.096136]  ? do_user_addr_fault+0x1027/0x1340\n[  472.096136]  ? _printk+0x7a/0xa0\n[  472.096136]  ? mutex_lock+0x68/0xc0\n[  472.096136]  ? add_taint+0x42/0xd0\n[  472.096136]  ? exc_page_fault+0x6a/0x1b0\n[  472.096136]  ? asm_exc_page_fault+0x26/0x30\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  ? mutex_lock+0x88/0xc0\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  l2cap_chan_timeo\n---truncated---(CVE-2024-27399)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet/pep: fix racy skb_queue_empty() use\r\n\r\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.(CVE-2024-27402)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: bridge: confirm multicast packets before passing them up the stack\r\n\r\nconntrack nf_confirm logic cannot handle cloned skbs referencing\nthe same nf_conn entry, which will happen for multicast (broadcast)\nframes on bridges.\r\n\r\n Example:\n    macvlan0\n       |\n      br0\n     /  \\\n  ethX    ethY\r\n\r\n ethX (or Y) receives a L2 multicast or broadcast packet containing\n an IP packet, flow is not yet in conntrack table.\r\n\r\n 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.\n    -> skb->_nfct now references a unconfirmed entry\n 2. skb is broad/mcast packet. bridge now passes clones out on each bridge\n    interface.\n 3. skb gets passed up the stack.\n 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb\n    and schedules a work queue to send them out on the lower devices.\r\n\r\n    The clone skb->_nfct is not a copy, it is the same entry as the\n    original skb.  The macvlan rx handler then returns RX_HANDLER_PASS.\n 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.\r\n\r\nThe Macvlan broadcast worker and normal confirm path will race.\r\n\r\nThis race will not happen if step 2 already confirmed a clone. In that\ncase later steps perform skb_clone() with skb->_nfct already confirmed (in\nhash table).  This works fine.\r\n\r\nBut such confirmation won't happen when eb/ip/nftables rules dropped the\npackets before they reached the nf_confirm step in postrouting.\r\n\r\nPablo points out that nf_conntrack_bridge doesn't allow use of stateful\nnat, so we can safely discard the nf_conn entry and let inet call\nconntrack again.\r\n\r\nThis doesn't work for bridge netfilter: skb could have a nat\ntransformation. Also bridge nf prevents re-invocation of inet prerouting\nvia 'sabotage_in' hook.\r\n\r\nWork around this problem by explicit confirmation of the entry at LOCAL_IN\ntime, before upper layer has a chance to clone the unconfirmed entry.\r\n\r\nThe downside is that this disables NAT and conntrack helpers.\r\n\r\nAlternative fix would be to add locking to all code parts that deal with\nunconfirmed packets, but even if that could be done in a sane way this\nopens up other problems, for example:\r\n\r\n-m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4\n-m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5\r\n\r\nFor multicast case, only one of such conflicting mappings will be\ncreated, conntrack only handles 1:1 NAT mappings.\r\n\r\nUsers should set create a setup that explicitly marks such traffic\nNOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass\nthem, ruleset might have accept rules for untracked traffic already,\nso user-visible behaviour would change.(CVE-2024-27415)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\r\n\r\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\r\n\r\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.(CVE-2024-35790)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI/PM: Drain runtime-idle callbacks before driver removal\r\n\r\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\r\n\r\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that.  It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\r\n\r\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete.  In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\r\n\r\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync().  [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\r\n\r\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point.  A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.(CVE-2024-35809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\r\n\r\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\r\n\r\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\r\n\r\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\r\n\r\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\r\n\r\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\r\n\r\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G        W          6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-35853)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\r\n\r\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\r\n\r\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\r\n\r\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\r\n\r\nFix by not destroying the region if migration failed.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\r\n\r\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G        W          6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n </TASK>\r\n\r\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\r\n\r\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30(CVE-2024-35854)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\r\n\r\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\r\n\r\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\r\n\r\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\r\n\r\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n </TASK>\r\n\r\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\r\n\r\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30(CVE-2024-35855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix infinite recursion in fib6_dump_done().\r\n\r\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\r\n\r\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\r\n\r\n  12:01:34 executing program 3:\n  r0 = socket$nl_route(0x10, 0x3, 0x0)\n  sendmsg$nl_route(r0, ... snip ...)\n  recvmmsg(r0, ... snip ...) (fail_nth: 8)\r\n\r\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\r\n\r\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\r\n\r\nTo avoid the issue, let's set the destructor after kzalloc().\r\n\r\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\r\n\r\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n </#DF>\n <TASK>\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---(CVE-2024-35886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nerspan: make sure erspan_base_hdr is present in skb->head\r\n\r\nsyzbot reported a problem in ip6erspan_rcv() [1]\r\n\r\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\r\n\r\nAdd the missing pskb_may_pull() calls.\r\n\r\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n    because skb->head might have changed.\r\n\r\n[1]\r\n\r\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n  pskb_may_pull include/linux/skbuff.h:2756 [inline]\n  ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n  gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:460 [inline]\n  ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n  netif_receive_skb_internal net/core/dev.c:5738 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n  tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  tun_alloc_skb drivers/net/tun.c:1525 [inline]\n  tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0(CVE-2024-35888)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\r\n\r\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\r\n\r\n       CPU0                    CPU1\n       ----                    ----\n  lock(&htab->buckets[i].lock);\n                               local_irq_disable();\n                               lock(&host->lock);\n                               lock(&htab->buckets[i].lock);\n  <Interrupt>\n    lock(&host->lock);\r\n\r\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\r\n\r\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\r\n\r\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.(CVE-2024-35895)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: validate user input for expected length\r\n\r\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\r\n\r\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\r\n\r\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n  do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n  nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n </TASK>\r\n\r\nAllocated by task 7238:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:4069 [inline]\n  __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n  kmalloc_noprof include/linux/slab.h:664 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\r\n\r\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\r\n\r\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---(CVE-2024-35896)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Protect against int overflow for stack access size\r\n\r\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\r\n\r\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.(CVE-2024-35905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\r\n\r\nsyzbot reported the following uninit-value access issue [1][2]:\r\n\r\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\r\n\r\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.(CVE-2024-35915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: ucsi: Limit read size on v1.2\r\n\r\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.(CVE-2024-35924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: prevent division by zero in blk_rq_stat_sum()\r\n\r\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35925)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: SCO: Fix not validating setsockopt user input\r\n\r\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\r\n\r\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578(CVE-2024-35967)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngeneve: fix header validation in geneve[6]_xmit_skb\r\n\r\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\r\n\r\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\r\n\r\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\r\n\r\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\r\n\r\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\r\n\r\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\r\n\r\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\r\n\r\nv2,v3 - Addressed Sabrina comments on v1 and v2\r\n\r\n[1]\r\n\r\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024(CVE-2024-35973)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv4: check for NULL idev in ip_route_use_hint()\r\n\r\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\r\n\r\nIt appears the bug exists in latest trees.\r\n\r\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\r\n\r\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS:  00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n  ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n  ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n  ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n  ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n  ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n  __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n  __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n  __netif_receive_skb_list net/core/dev.c:5672 [inline]\n  netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n  netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n  xdp_recv_frames net/bpf/test_run.c:257 [inline]\n  xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n  bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n  bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n  bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n  __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n  __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n  __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n  __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199(CVE-2024-36008)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\r\n\r\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.(CVE-2024-36017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hns3: fix kernel crash when devlink reload during pf initialization\r\n\r\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash. This patch fixes this by taking devl_lock during initialization.(CVE-2024-36021)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: sdhci-msm: pervent access to suspended controller\r\n\r\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.(CVE-2024-36029)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix out-of-bounds access in ops_init\r\n\r\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\r\n\r\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\r\n\r\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.(CVE-2024-36883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix UAF in error path\r\n\r\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\r\n\r\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\r\n\r\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n <IRQ>\n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---(CVE-2024-36886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure snd_nxt is properly initialized on connect\r\n\r\nChristoph reported a splat hinting at a corrupted snd_una:\r\n\r\n  WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Modules linked in:\n  CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n  Workqueue: events mptcp_worker\n  RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n  \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n  \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n  RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n  RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n  RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n  R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n  FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n  Call Trace:\n   <TASK>\n   __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n   mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n   __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n   mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n   process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n   process_scheduled_works kernel/workqueue.c:3335 [inline]\n   worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n   kthread+0x121/0x170 kernel/kthread.c:388\n   ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n   </TASK>\r\n\r\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\r\n\r\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\r\n\r\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.(CVE-2024-36889)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: fix uninitialised kfifo\r\n\r\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked.  This results in events being written to and read from an\nuninitialised kfifo.  Read events are returned to userspace.\r\n\r\nInitialise the kfifo in the case where the software debounce is\nalready active.(CVE-2024-36898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\r\n\r\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\r\n\r\nHere is the typical stack when issue happened:\r\n\r\n[free]\ngpio_chrdev_release()\n  --> bitmap_free(cdev->watched_lines)                  <-- freed\n  --> blocking_notifier_chain_unregister()\n    --> down_write(&nh->rwsem)                          <-- waiting rwsem\n          --> __down_write_common()\n            --> rwsem_down_write_slowpath()\n                  --> schedule_preempt_disabled()\n                    --> schedule()\r\n\r\n[use]\nst54spi_gpio_dev_release()\n  --> gpio_free()\n    --> gpiod_free()\n      --> gpiod_free_commit()\n        --> gpiod_line_state_notify()\n          --> blocking_notifier_call_chain()\n            --> down_read(&nh->rwsem);                  <-- held rwsem\n            --> notifier_call_chain()\n              --> lineinfo_changed_notify()\n                --> test_bit(xxxx, cdev->watched_lines) <-- use after free\r\n\r\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\r\n\r\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.(CVE-2024-36899)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: prevent NULL dereference in ip6_output()\r\n\r\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\r\n\r\nsyzbot reported:\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS:  00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n  sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n  sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n  sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n  sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n  sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n  sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n  sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n  __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\r\n\r\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\r\n\r\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\r\n\r\n[1]\r\n\r\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS:  00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n  fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n  ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n  ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n  ip6_route_output include/net/ip6_route.h:93 [inline]\n  ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n  ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n  sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n  sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n  sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n  sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n  __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\r\n\r\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\r\n\r\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\r\n\r\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\r\n\r\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\r\n\r\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\r\n\r\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\r\n\r\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\r\n\r\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001(CVE-2024-36905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9381/1: kasan: clear stale stack poison\r\n\r\nWe found below OOB crash:\r\n\r\n[   33.452494] ==================================================================\n[   33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[   33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[   33.455515]\n[   33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O       6.1.25-mainline #1\n[   33.456880] Hardware name: Generic DT based system\n[   33.457555]  unwind_backtrace from show_stack+0x18/0x1c\n[   33.458326]  show_stack from dump_stack_lvl+0x40/0x4c\n[   33.459072]  dump_stack_lvl from print_report+0x158/0x4a4\n[   33.459863]  print_report from kasan_report+0x9c/0x148\n[   33.460616]  kasan_report from kasan_check_range+0x94/0x1a0\n[   33.461424]  kasan_check_range from memset+0x20/0x3c\n[   33.462157]  memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[   33.463064]  refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[   33.464181]  tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[   33.465029]  do_idle from cpu_startup_entry+0x20/0x24\n[   33.465769]  cpu_startup_entry from rest_init+0xf0/0xf4\n[   33.466528]  rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[   33.467397]\n[   33.467644] The buggy address belongs to stack of task swapper/0/0\n[   33.468493]  and is located at offset 112 in frame:\n[   33.469172]  refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[   33.469917]\n[   33.470165] This frame has 2 objects:\n[   33.470696]  [32, 76) 'global_zone_diff'\n[   33.470729]  [112, 276) 'global_node_diff'\n[   33.471294]\n[   33.472095] The buggy address belongs to the physical page:\n[   33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[   33.473944] flags: 0x1000(reserved|zone=0)\n[   33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[   33.475656] raw: 00000000\n[   33.476050] page dumped because: kasan: bad access detected\n[   33.476816]\n[   33.477061] Memory state around the buggy address:\n[   33.477732]  c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   33.478630]  c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[   33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[   33.480415]                                                ^\n[   33.481195]  c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[   33.482088]  c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[   33.482978] ==================================================================\r\n\r\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\r\n\r\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\r\n\r\nFrom cited commit [1] that explain the problem\r\n\r\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\r\n\r\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code.  Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\r\n\r\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\r\n\r\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\r\n\r\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\r\n\r\nFrom cited commit [2]\r\n\r\nExtend to check for CONFIG_KASAN_STACK\r\n\r\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")(CVE-2024-36906)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-iocost: do not WARN if iocg was already offlined\r\n\r\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\r\n\r\n  WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n  Call trace:\n  iocg_pay_debt+0x14c/0x190\n  iocg_kick_waitq+0x438/0x4c0\n  iocg_waitq_timer_fn+0xd8/0x130\n  __run_hrtimer+0x144/0x45c\n  __hrtimer_run_queues+0x16c/0x244\n  hrtimer_interrupt+0x2cc/0x7b0\r\n\r\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\r\n\r\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.(CVE-2024-36908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\r\n\r\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock.  Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.(CVE-2024-36924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\r\n\r\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.(CVE-2024-36929)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namd/amdkfd: sync all devices to wait all processes being evicted\r\n\r\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.(CVE-2024-36949)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocteontx2-af: avoid off-by-one read from userspace\r\n\r\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.(CVE-2024-36957)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/9p: only translate RWX permissions for plain 9P2000\r\n\r\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.(CVE-2024-36964)",
+    "cves": [
+      {
+        "id": "CVE-2024-36964",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1342": {
+    "id": "openEuler-SA-2024-1342",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1342",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666)",
+    "cves": [
+      {
+        "id": "CVE-2023-0666",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1663": {
+    "id": "openEuler-SA-2024-1663",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1663",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.(CVE-2023-1916)\r\n\r\nA heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.(CVE-2023-3164)",
+    "cves": [
+      {
+        "id": "CVE-2023-3164",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3164",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1489": {
+    "id": "openEuler-SA-2024-1489",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1489",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system.\r\n\r\nSecurity Fix(es):\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nThe Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.(CVE-2023-50868)",
+    "cves": [
+      {
+        "id": "CVE-2023-50868",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1329": {
+    "id": "openEuler-SA-2021-1329",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1329",
+    "title": "An update for krb5 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.(CVE-2021-37750)",
+    "cves": [
+      {
+        "id": "CVE-2021-37750",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37750",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1714": {
+    "id": "openEuler-SA-2022-1714",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1714",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\nAn out-of-bound write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root.(CVE-2022-1972)\n\r\nA use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information.(CVE-2022-1974)\n\nA use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2022-1786)",
+    "cves": [
+      {
+        "id": "CVE-2022-1786",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1786",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1346": {
+    "id": "openEuler-SA-2021-1346",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1346",
+    "title": "An update for grilo is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Grilo is a framework focused on making media discovery and browsing easy for application developers.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.(CVE-2021-39365)",
+    "cves": [
+      {
+        "id": "CVE-2021-39365",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39365",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1134": {
+    "id": "openEuler-SA-2021-1134",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1134",
+    "title": "An update for batik is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup, that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.(CVE-2020-11987)",
+    "cves": [
+      {
+        "id": "CVE-2020-11987",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11987",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1799": {
+    "id": "openEuler-SA-2024-1799",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1799",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrusted user input, malicious code could be executed.(CVE-2023-28120)",
+    "cves": [
+      {
+        "id": "CVE-2023-28120",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28120",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1455": {
+    "id": "openEuler-SA-2021-1455",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1455",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.(CVE-2021-21707)",
+    "cves": [
+      {
+        "id": "CVE-2021-21707",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21707",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1771": {
+    "id": "openEuler-SA-2023-1771",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1771",
+    "title": "An update for nghttp2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2089": {
+    "id": "openEuler-SA-2022-2089",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2089",
+    "title": "An update for gnulib is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Gnulib is a central location for common GNU code, intended to be shared among GNU packages. It can be used to improve portability and other functionality in your programs.\r\n\r\nSecurity Fix(es):\r\n\r\nThe convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\\0' character during %f processing.(CVE-2018-17942)",
+    "cves": [
+      {
+        "id": "CVE-2018-17942",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17942",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1584": {
+    "id": "openEuler-SA-2024-1584",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1584",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1867": {
+    "id": "openEuler-SA-2023-1867",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1867",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.(CVE-2023-5981)",
+    "cves": [
+      {
+        "id": "CVE-2023-5981",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5981",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-2001": {
+    "id": "openEuler-SA-2023-2001",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-2001",
+    "title": "An update for netty is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881)",
+    "cves": [
+      {
+        "id": "CVE-2022-41881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1656": {
+    "id": "openEuler-SA-2023-1656",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1656",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n(CVE-2023-39350)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling.  Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-39351)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and  `surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n(CVE-2023-39352)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-39353)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` without  checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-39354)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n(CVE-2023-39356)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40181)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40186)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40188)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.(CVE-2023-40567)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.(CVE-2023-40569)\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40589)",
+    "cves": [
+      {
+        "id": "CVE-2023-40589",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40589",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1211": {
+    "id": "openEuler-SA-2023-1211",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1211",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\n\nKernel: A denial of service issue in  az6027 driver in\ndrivers/media/usb/dev-usb/az6027.c(CVE-2023-28328)\r\n\r\nA slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.(CVE-2023-1380)\r\n\r\nA flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.(CVE-2023-1513)\n\nAn issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.(CVE-2023-28772)",
+    "cves": [
+      {
+        "id": "CVE-2023-28772",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28772",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1382": {
+    "id": "openEuler-SA-2021-1382",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1382",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.(CVE-2021-22947)\r\n\r\nA user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.(CVE-2021-22946)\r\n\r\nWhen sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.(CVE-2021-22945)",
+    "cves": [
+      {
+        "id": "CVE-2021-22945",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22945",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1567": {
+    "id": "openEuler-SA-2023-1567",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1567",
+    "title": "An update for libpq is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).(CVE-2020-21469)\r\n\r\nschema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.(CVE-2023-2454)\r\n\r\nRow security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.(CVE-2023-2455)\r\n\r\nIN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)\r\n\r\nA vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.(CVE-2023-39418)",
+    "cves": [
+      {
+        "id": "CVE-2023-39418",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1809": {
+    "id": "openEuler-SA-2024-1809",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1809",
+    "title": "An update for avro is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache Avro is a data serialization system.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\r\n\r\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.\r\n\r\n(CVE-2023-39410)",
+    "cves": [
+      {
+        "id": "CVE-2023-39410",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1692": {
+    "id": "openEuler-SA-2022-1692",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1692",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.(CVE-2021-44040)",
+    "cves": [
+      {
+        "id": "CVE-2021-44040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44040",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1579": {
+    "id": "openEuler-SA-2022-1579",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1579",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain=\"module\" rights=\"none\" pattern=\"PS\" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" />.(CVE-2021-39212)\r\n\r\nA NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2's xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault.(CVE-2021-3596)",
+    "cves": [
+      {
+        "id": "CVE-2021-3596",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3596",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1318": {
+    "id": "openEuler-SA-2024-1318",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1318",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36764)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45230)\r\n\r\n EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45232)\r\n\r\n EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45233)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when\r\n\r\n\r\n\r\n\r\n\r\nhandling Server ID option \r\n\r\n\r\n\r\n from a DHCPv6 proxy Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45235)",
+    "cves": [
+      {
+        "id": "CVE-2023-45235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1129": {
+    "id": "openEuler-SA-2021-1129",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1129",
+    "title": "An update for subversion is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Subversion exists to be universally recognized and adopted as an open-source, centralized version control system characterized by its reliability as a safe haven for valuable data; the simplicity of its model and usage; and its ability to support the needs of a wide variety of users and projects, from individuals to large-scale enterprise operations.\r\n\r\nSecurity Fix(es):\r\n\r\nA null-pointer-dereference flaw was found in mod_authz_svn of subversion. This flaw allows a remote, unauthenticated attacker to cause a denial of service in some server configurations. The highest threat from this vulnerability is to system availability.(CVE-2020-10650)",
+    "cves": [
+      {
+        "id": "CVE-2020-10650",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10650",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1697": {
+    "id": "openEuler-SA-2024-1697",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1697",
+    "title": "An update for openssl is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability was found in OpenSSL. Calling the OpenSSL API SSL_free_buffers function may cause memory to be accessed that was previously freed in some situations.(CVE-2024-4741)",
+    "cves": [
+      {
+        "id": "CVE-2024-4741",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4741",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1666": {
+    "id": "openEuler-SA-2024-1666",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1666",
+    "title": "An update for giflib is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633)",
+    "cves": [
+      {
+        "id": "CVE-2021-40633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1905": {
+    "id": "openEuler-SA-2023-1905",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1905",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Asynchronous event-driven network application Java framework.\r\n\r\nSecurity Fix(es):\r\n\r\nNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881)",
+    "cves": [
+      {
+        "id": "CVE-2022-41881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1799": {
+    "id": "openEuler-SA-2022-1799",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1799",
+    "title": "An update for shim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2022-28737)",
+    "cves": [
+      {
+        "id": "CVE-2022-28737",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28737",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1724": {
+    "id": "openEuler-SA-2023-1724",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1724",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.(CVE-2023-4911)",
+    "cves": [
+      {
+        "id": "CVE-2023-4911",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1798": {
+    "id": "openEuler-SA-2024-1798",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1798",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrusted user input, malicious code could be executed.(CVE-2023-28120)",
+    "cves": [
+      {
+        "id": "CVE-2023-28120",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28120",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1410": {
+    "id": "openEuler-SA-2023-1410",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1410",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "\n\nSecurity Fix(es):\n\nOpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.\n\nThe exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.\n\nVersion 2.4.6 has a patch for this issue.(CVE-2023-34241)",
+    "cves": [
+      {
+        "id": "CVE-2023-34241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34241",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1360": {
+    "id": "openEuler-SA-2024-1360",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1360",
+    "title": "An update for telnet is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. The package includes a remote login client program for telnet and a server daemon.\r\n\r\nSecurity Fix(es):\r\n\r\ntelnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028)",
+    "cves": [
+      {
+        "id": "CVE-2022-39028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1209": {
+    "id": "openEuler-SA-2021-1209",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1209",
+    "title": "An update for libsolv is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A free package dependency solver using a satisfiability algorithm. The library is based on two major, but independent, blocks:\n- Using a dictionary approach to store and retrieve package and dependency information.\n- Using satisfiability, a well known and researched topic, for resolving package dependencies.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service(CVE-2021-3200)",
+    "cves": [
+      {
+        "id": "CVE-2021-3200",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3200",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1187": {
+    "id": "openEuler-SA-2023-1187",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1187",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIntel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.(CVE-2022-29901)\r\n\r\nA flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action \"mirred\") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.(CVE-2022-4269)\r\n\r\nA flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.(CVE-2023-1079)\r\n\r\n\nKernel: denial of service in tipc_conn_close(CVE-2023-1382)\r\n\r\ndo_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).(CVE-2023-28466)\r\n\r\nUse After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.(CVE-2023-1281)",
+    "cves": [
+      {
+        "id": "CVE-2023-1382",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-1281",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1769": {
+    "id": "openEuler-SA-2022-1769",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1769",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>\". The password value is not redacted and is printed to stdout and also to any generated log files.(CVE-2020-15095)\n\nThis affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require( y18n )(); y18n.setLocale( proto ); y18n.updateLocale({polluted: true}); console.log(polluted); // true(CVE-2020-7774)\n\nThis affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.(CVE-2020-7754)\n\nThis affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.(CVE-2020-7788)\n\njson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ( Prototype Pollution )(CVE-2021-3918)",
+    "cves": [
+      {
+        "id": "CVE-2021-3918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1737": {
+    "id": "openEuler-SA-2024-1737",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1737",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server\r\n\r\nAFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and\nLinux's afs client switches between them when talking to a non-YFS server\nif the read size, the file position or the sum of the two have the upper 32\nbits set of the 64-bit value.\r\n\r\nThis is a problem, however, since the file position and length fields of\nFS.FetchData are *signed* 32-bit values.\r\n\r\nFix this by capturing the capability bits obtained from the fileserver when\nit's sent an FS.GetCapabilities RPC, rather than just discarding them, and\nthen picking out the VICED_CAPABILITY_64BITFILES flag.  This can then be\nused to decide whether to use FS.FetchData or FS.FetchData64 - and also\nFS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to\nswitch on the parameter values.\r\n\r\nThis capabilities flag could also be used to limit the maximum size of the\nfile, but all servers must be checked for that.\r\n\r\nNote that the issue does not exist with FS.StoreData - that uses *unsigned*\n32-bit values.  It's also not a problem with Auristor servers as its\nYFS.FetchData64 op uses unsigned 64-bit values.\r\n\r\nThis can be tested by cloning a git repo through an OpenAFS client to an\nOpenAFS server and then doing \"git status\" on it from a Linux afs\nclient[1].  Provided the clone has a pack file that's in the 2G-4G range,\nthe git status will show errors like:\r\n\r\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\r\n\r\nThis can be observed in the server's FileLog with something like the\nfollowing appearing:\r\n\r\nSun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001\nSun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866\n...\nSun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5\r\n\r\nNote the file position of 18446744071815340032.  This is the requested file\nposition sign-extended.(CVE-2021-47366)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: Fix possible access to freed memory in link clear\r\n\r\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\r\n\r\nHere is a crash example:\r\n\r\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S         OE     5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS:  0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <IRQ>\n  _raw_spin_lock_irqsave+0x30/0x40\n  mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n  smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n  tasklet_action_common.isra.21+0x66/0x100\n  __do_softirq+0xd5/0x29c\n  asm_call_irq_on_stack+0x12/0x20\n  </IRQ>\n  do_softirq_own_stack+0x37/0x40\n  irq_exit_rcu+0x9d/0xa0\n  sysvec_call_function_single+0x34/0x80\n  asm_sysvec_call_function_single+0x12/0x20(CVE-2022-48673)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\r\n\r\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\r\n\r\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path(CVE-2022-48693)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrpmsg: virtio: Free driver_override when rpmsg_remove()\r\n\r\nFree driver_override when rpmsg_remove(), otherwise\nthe following memory leak will occur:\r\n\r\nunreferenced object 0xffff0000d55d7080 (size 128):\n  comm \"kworker/u8:2\", pid 56, jiffies 4294893188 (age 214.272s)\n  hex dump (first 32 bytes):\n    72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00  rpmsg_ns........\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320\n    [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70\n    [<00000000228a60c3>] kstrndup+0x4c/0x90\n    [<0000000077158695>] driver_set_override+0xd0/0x164\n    [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170\n    [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30\n    [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec\n    [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280\n    [<00000000443331cc>] really_probe+0xbc/0x2dc\n    [<00000000391064b1>] __driver_probe_device+0x78/0xe0\n    [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160\n    [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140\n    [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4\n    [<000000003b929a36>] __device_attach+0x9c/0x19c\n    [<00000000a94e0ba8>] device_initial_probe+0x14/0x20\n    [<000000003c999637>] bus_probe_device+0xa0/0xac(CVE-2023-52670)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npipe: wakeup wr_wait after setting max_usage\r\n\r\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\r\n\r\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\r\n\r\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\r\n\r\n[Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues](CVE-2023-52672)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: video: check for error while searching for backlight device parent\r\n\r\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\r\n\r\nCheck acpi_get_parent() result and set parent device only in case of success.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52693)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmc_spi: fix error handling in mmc_spi_probe()\r\n\r\nIf mmc_add_host() fails, it doesn't need to call mmc_remove_host(),\nor it will cause null-ptr-deref, because of deleting a not added\ndevice in mmc_remove_host().\r\n\r\nTo fix this, goto label 'fail_glue_init', if mmc_add_host() fails,\nand change the label 'fail_add_host' to 'fail_gpiod_request'.(CVE-2023-52708)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: blocklist the kclient when receiving corrupted snap trace\r\n\r\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\r\n\r\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\r\n\r\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.(CVE-2023-52732)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFix page corruption caused by racy check in __free_pages\r\n\r\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\r\n\r\n  BUG: Bad page state in process ganesha.nfsd  pfn:1304ca\n  page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n  flags: 0x17ffffc0000000()\n  raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n  raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n  page dumped because: nonzero mapcount\n  CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P    B      O      5.10.158-1.nutanix.20221209.el7.x86_64 #1\n  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n  Call Trace:\n   dump_stack+0x74/0x96\n   bad_page.cold+0x63/0x94\n   check_new_page_bad+0x6d/0x80\n   rmqueue+0x46e/0x970\n   get_page_from_freelist+0xcb/0x3f0\n   ? _cond_resched+0x19/0x40\n   __alloc_pages_nodemask+0x164/0x300\n   alloc_pages_current+0x87/0xf0\n   skb_page_frag_refill+0x84/0x110\n   ...\r\n\r\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\r\n\r\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\r\n\r\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- > 0)\n\t\t\tfree_the_page(page + (1 << order), order);\r\n\r\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page.  So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.(CVE-2023-52739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Restore allocated resources on failed copyout\r\n\r\nFix a resource leak if an error occurs.(CVE-2023-52747)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\r\n\r\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\r\n\r\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.(CVE-2023-52762)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add check for negative db_l2nbperpage\r\n\r\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\r\n\r\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\r\n\r\nSyzbot reported this bug:\r\n\r\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative(CVE-2023-52810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panel: fix a possible null pointer dereference\r\n\r\nIn versatile_panel_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2023-52821)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: vidtv: mux: Add check and kfree for kstrdup\r\n\r\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference.\nMoreover, use kfree() in the later error handling in order to avoid\nmemory leak.(CVE-2023-52841)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhsr: Prevent use after free in prp_create_tagged_frame()\r\n\r\nThe prp_fill_rct() function can fail.  In that situation, it frees the\nskb and returns NULL.  Meanwhile on the success path, it returns the\noriginal skb.  So it's straight forward to fix bug by using the returned\nvalue.(CVE-2023-52846)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\r\n\r\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.(CVE-2023-52882)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\r\n\r\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.(CVE-2024-26936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\r\n\r\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\r\n\r\n node   0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node   0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is：0xc0900000, 0x100000\r\n\r\nthe crash backtrace like:\r\n\r\n  Unable to handle kernel paging request at virtual address bff00000\n  [...]\n  CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10.0 #1\n  Hardware name: Generic DT based system\n  PC is at b15_flush_kern_dcache_area+0x24/0x3c\n  LR is at __sync_icache_dcache+0x6c/0x98\n  [...]\n   (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n   (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n   (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n   (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n   (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n   (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n   (__do_mmap_mm) from (do_mmap+0x50/0x58)\n   (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n   (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n   (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n  Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n  ---[ end trace 09cf0734c3805d52 ]---\n  Kernel panic - not syncing: Fatal exception\r\n\r\nSo check if PG_reserved was set to solve this issue.\r\n\r\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/(CVE-2024-26947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\r\n\r\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().(CVE-2024-26954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: swap: fix race between free_swap_and_cache() and swapoff()\r\n\r\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\r\n\r\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\r\n\r\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\r\n\r\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\r\n\r\n--8<-----\r\n\r\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\r\n\r\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\r\n\r\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\r\n\r\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\r\n\r\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\r\n\r\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\r\n\r\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\r\n\r\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\r\n\r\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\r\n\r\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\r\n\r\n--8<-----(CVE-2024-26960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Prevent deadlock while disabling aRFS\r\n\r\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\r\n\r\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\r\n\r\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\r\n\r\nKernel log:\r\n\r\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G          I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\r\n\r\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nwhich lock already depends on the new lock.\r\n\r\nthe existing dependency chain (in reverse order) is:\r\n\r\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n       __mutex_lock+0x80/0xc90\n       arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n       process_one_work+0x1dc/0x4a0\n       worker_thread+0x1bf/0x3c0\n       kthread+0xd7/0x100\n       ret_from_fork+0x2d/0x50\n       ret_from_fork_asm+0x11/0x20\r\n\r\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n       __lock_acquire+0x17b4/0x2c80\n       lock_acquire+0xd0/0x2b0\n       __flush_work+0x7a/0x4e0\n       __cancel_work_timer+0x131/0x1c0\n       arfs_del_rules+0x143/0x1e0 [mlx5_core]\n       mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n       mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n       ethnl_set_channels+0x28f/0x3b0\n       ethnl_default_set_doit+0xec/0x240\n       genl_family_rcv_msg_doit+0xd0/0x120\n       genl_rcv_msg+0x188/0x2c0\n       netlink_rcv_skb+0x54/0x100\n       genl_rcv+0x24/0x40\n       netlink_unicast+0x1a1/0x270\n       netlink_sendmsg+0x214/0x460\n       __sock_sendmsg+0x38/0x60\n       __sys_sendto+0x113/0x170\n       __x64_sys_sendto+0x20/0x30\n       do_syscall_64+0x40/0xe0\n       entry_SYSCALL_64_after_hwframe+0x46/0x4e\r\n\r\nother info that might help us debug this:\r\n\r\n Possible unsafe locking scenario:\r\n\r\n       CPU0                    CPU1\n       ----                    ----\n  lock(&priv->state_lock);\n                               lock((work_completion)(&rule->arfs_work));\n                               lock(&priv->state_lock);\n  lock((work_completion)(&rule->arfs_work));\r\n\r\n *** DEADLOCK ***\r\n\r\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\r\n\r\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G          I        6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---(CVE-2024-27014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\r\n\r\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.(CVE-2024-27019)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\r\n\r\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\r\n\r\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)(CVE-2024-27044)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ll_temac: platform_get_resource replaced by wrong function\r\n\r\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\r\n\r\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\r\n\r\n\tif (type == resource_type(r) && !strcmp(r->name, name))\r\n\r\nIt should have been replaced with devm_platform_ioremap_resource.(CVE-2024-35796)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\r\n\r\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.(CVE-2024-35815)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\r\n\r\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\r\n\r\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.(CVE-2024-35819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\r\n\r\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().(CVE-2024-35828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\r\n\r\nAn skb can be added to a neigh->arp_queue while waiting for an arp\nreply. Where original skb's skb->dev can be different to neigh's\nneigh->dev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh->arp_queue of the bridge.\r\n\r\nAs skb->dev can be reset back to nf_bridge->physindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn't cleanup skbs from\ndifferent device's neigh queue) we can crash on e.g. this stack:\r\n\r\narp_process\n  neigh_update\n    skb = __skb_dequeue(&neigh->arp_queue)\n      neigh_resolve_output(..., skb)\n        ...\n          br_nf_dev_xmit\n            br_nf_pre_routing_finish_bridge_slow\n              skb->dev = nf_bridge->physindev\n              br_handle_frame_finish\r\n\r\nLet's use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don't get it and drop skb.(CVE-2024-35839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix UAF in smb2_reconnect_server()\r\n\r\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses().  This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\r\n\r\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\r\n\r\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\r\n\r\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-35870)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\r\n\r\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\r\n\r\n      (Thread 1)          |      (Thread 2)\n                          | ax25_ds_timeout()\nax25_dev_device_down()    |\n  ax25_ds_del_timer()     |\n    del_timer()           |\n  ax25_dev_put() //FREE   |\n                          |  ax25_dev-> //USE\r\n\r\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.(CVE-2024-35887)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: properly terminate timers for kernel sockets\r\n\r\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\r\n\r\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\r\n\r\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\r\n\r\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\r\n\r\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\r\n\r\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\r\n\r\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\r\n\r\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\r\n\r\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\r\n\r\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.(CVE-2024-35910)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vc4: don't check if plane->state->fb == state->fb\r\n\r\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\r\n\r\n[  110.908514] ------------[ cut here ]------------\n[  110.908529] refcount_t: underflow; use-after-free.\n[  110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[  110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[  110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G         C         6.1.66-v8+ #32\n[  110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[  110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[  110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[  110.909170] sp : ffffffc00913b9c0\n[  110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[  110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[  110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[  110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[  110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[  110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[  110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[  110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[  110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[  110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[  110.909434] Call trace:\n[  110.909441]  refcount_dec_not_one+0xb8/0xc0\n[  110.909461]  vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[  110.909903]  vc4_cleanup_fb+0x44/0x50 [vc4]\n[  110.910315]  drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[  110.910669]  vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[  110.911079]  commit_tail+0xb0/0x164 [drm_kms_helper]\n[  110.911397]  drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[  110.911716]  drm_atomic_commit+0xb0/0xdc [drm]\n[  110.912569]  drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[  110.913330]  drm_ioctl_kernel+0xec/0x15c [drm]\n[  110.914091]  drm_ioctl+0x24c/0x3b0 [drm]\n[  110.914850]  __arm64_sys_ioctl+0x9c/0xd4\n[  110.914873]  invoke_syscall+0x4c/0x114\n[  110.914897]  el0_svc_common+0xd0/0x118\n[  110.914917]  do_el0_svc+0x38/0xd0\n[  110.914936]  el0_svc+0x30/0x8c\n[  110.914958]  el0t_64_sync_handler+0x84/0xf0\n[  110.914979]  el0t_64_sync+0x18c/0x190\n[  110.914996] ---[ end trace 0000000000000000 ]---\r\n\r\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\r\n\r\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---(CVE-2024-35932)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\r\n\r\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.(CVE-2024-35935)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: check A-MSDU format more carefully\r\n\r\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.(CVE-2024-35937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\r\n\r\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\r\n\r\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.(CVE-2024-35951)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix not validating setsockopt user input\r\n\r\nCheck user input length before copying data.(CVE-2024-35965)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: RFCOMM: Fix not validating setsockopt user input\r\n\r\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\r\n\r\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064(CVE-2024-35966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbatman-adv: Avoid infinite loop trying to resize local TT\r\n\r\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\r\n\r\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\r\n\r\n   batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\r\n\r\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\r\n\r\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\r\n\r\nWhile this should be handled proactively when:\r\n\r\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n  attached interfaces)\r\n\r\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.(CVE-2024-35982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: fix possible out-of-bounds in gsm0_receive()\r\n\r\nAssuming the following:\n- side A configures the n_gsm in basic option mode\n- side B sends the header of a basic option mode frame with data length 1\n- side A switches to advanced option mode\n- side B sends 2 data bytes which exceeds gsm->len\n  Reason: gsm->len is not used in advanced option mode.\n- side A switches to basic option mode\n- side B keeps sending until gsm0_receive() writes past gsm->buf\n  Reason: Neither gsm->state nor gsm->len have been reset after\n  reconfiguration.\r\n\r\nFix this by changing gsm->count to gsm->len comparison from equal to less\nthan. Also add upper limit checks against the constant MAX_MRU in\ngsm0_receive() and gsm1_receive() to harden against memory corruption of\ngsm->len and gsm->mru.\r\n\r\nAll other checks remain as we still need to limit the data according to the\nuser configuration and actual payload size.(CVE-2024-36016)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-iocost: avoid out of bounds shift\r\n\r\nUBSAN catches undefined behavior in blk-iocost, where sometimes\niocg->delay is shifted right by a number that is too large,\nresulting in undefined behavior on some architectures.\r\n\r\n[  186.556576] ------------[ cut here ]------------\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23\nshift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')\nCPU: 16 PID: 0 Comm: swapper/16 Tainted: G S          E    N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1\nHardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x8f/0xe0\n __ubsan_handle_shift_out_of_bounds+0x22c/0x280\n iocg_kick_delay+0x30b/0x310\n ioc_timer_fn+0x2fb/0x1f80\n __run_timer_base+0x1b6/0x250\n...\r\n\r\nAvoid that undefined behavior by simply taking the\n\"delay = 0\" branch if the shift is too large.\r\n\r\nI am not sure what the symptoms of an undefined value\ndelay will be, but I suspect it could be more than a\nlittle annoying to debug.(CVE-2024-36916)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: fix overflow in blk_ioctl_discard()\r\n\r\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n  start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.(CVE-2024-36917)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\r\n\r\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\r\n\r\nThis will suppress following BUG_ON():\r\n\r\n[  449.843143] ------------[ cut here ]------------\n[  449.848302] kernel BUG at mm/vmalloc.c:2727!\n[  449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[  449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[  449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[  449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[  449.882910] RIP: 0010:vunmap+0x2e/0x30\n[  449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[  449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[  449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[  449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[  449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[  449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[  449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[  449.953701] FS:  0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[  449.962732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[  449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  449.993028] Call Trace:\n[  449.995756]  __iommu_dma_free+0x96/0x100\n[  450.000139]  bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[  450.006171]  bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[  450.011910]  bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[  450.018136]  fc_rport_work+0x103/0x5b0 [libfc]\n[  450.023103]  process_one_work+0x1e8/0x3c0\n[  450.027581]  worker_thread+0x50/0x3b0\n[  450.031669]  ? rescuer_thread+0x370/0x370\n[  450.036143]  kthread+0x149/0x170\n[  450.039744]  ? set_kthread_struct+0x40/0x40\n[  450.044411]  ret_from_fork+0x22/0x30\n[  450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[  450.048497]  libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[  450.159753] ---[ end trace 712de2c57c64abc8 ]---(CVE-2024-36919)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/qeth: Fix kernel panic after setting hsuid\r\n\r\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\r\n\r\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754]            00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756]            000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758]            00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000                illegal\n                         >0000000000000002: 0000                illegal\n                          0000000000000004: 0000                illegal\n                          0000000000000006: 0000                illegal\n                          0000000000000008: 0000                illegal\n                          000000000000000a: 0000                illegal\n                          000000000000000c: 0000                illegal\n                          000000000000000e: 0000                illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803]  [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809]  [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813]  [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822]  [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825]  [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827]  [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830]  [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833]  [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835]  [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839]  [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841]  [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844]  [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\r\n\r\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\r\n\r\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\r\n\r\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---(CVE-2024-36928)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\r\n\r\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric.  This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\r\n\r\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject.  This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\r\n\r\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix a possible memleak in tipc_buf_append\r\n\r\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.(CVE-2024-36954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/vmwgfx: Fix invalid reads in fence signaled events\r\n\r\nCorrectly set the length of the drm_event to the size of the structure\nthat's actually used.\r\n\r\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads.(CVE-2024-36960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\r\n\r\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\r\n\r\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\r\n\r\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G        W          6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---(CVE-2024-36968)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix __dst_negative_advice() race\r\n\r\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\r\n\r\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\r\n\r\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\r\n\r\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\r\n\r\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\r\n\r\nMany thanks to Clement Lecigne for tracking this issue.\r\n\r\nThis old bug became visible after the blamed commit, using UDP sockets.(CVE-2024-36971)",
+    "cves": [
+      {
+        "id": "CVE-2023-52672",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52672",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-26960",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36917",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36971",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36971",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1810": {
+    "id": "openEuler-SA-2022-1810",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1810",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0060.(CVE-2022-2522)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.(CVE-2022-2571)\r\n\r\nUndefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.(CVE-2022-2598)",
+    "cves": [
+      {
+        "id": "CVE-2022-2598",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1694": {
+    "id": "openEuler-SA-2024-1694",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1694",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA: Verify port when creating flow rule\r\n\r\nValidate port value provided by the user and with that remove no longer\nneeded validation by the driver.  The missing check in the mlx5_ib driver\ncould cause to the below oops.\r\n\r\nCall trace:\n  _create_flow_rule+0x2d4/0xf28 [mlx5_ib]\n  mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib]\n  ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs]\n  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs]\n  ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs]\n  ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs]\n  do_vfs_ioctl+0xd0/0xaf0\n  ksys_ioctl+0x84/0xb4\n  __arm64_sys_ioctl+0x28/0xc4\n  el0_svc_common.constprop.3+0xa4/0x254\n  el0_svc_handler+0x84/0xa0\n  el0_svc+0x10/0x26c\n Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a)(CVE-2021-47265)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmISDN: fix possible use-after-free in HFC_cleanup()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure tx skbs always have the MPTCP ext\r\n\r\nDue to signed/unsigned comparison, the expression:\r\n\r\n\tinfo->size_goal - skb->len > 0\r\n\r\nevaluates to true when the size goal is smaller than the\nskb size. That results in lack of tx cache refill, so that\nthe skb allocated by the core TCP code lacks the required\nMPTCP skb extensions.\r\n\r\nDue to the above, syzbot is able to trigger the following WARN_ON():\r\n\r\nWARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nModules linked in:\nCPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nCode: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 <0f> 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9\nRSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216\nRAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000\nRDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003\nRBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280\nR13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0\nFS:  00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547\n mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003\n release_sock+0xb4/0x1b0 net/core/sock.c:3206\n sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145\n mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749\n inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n sock_write_iter+0x2a0/0x3e0 net/socket.c:1057\n call_write_iter include/linux/fs.h:2163 [inline]\n new_sync_write+0x40b/0x640 fs/read_write.c:507\n vfs_write+0x7cf/0xae0 fs/read_write.c:594\n ksys_write+0x1ee/0x250 fs/read_write.c:647\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9\nRDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038\nR13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000\r\n\r\nFix the issue rewriting the relevant expression to avoid\nsign-related problems - note: size_goal is always >= 0.\r\n\r\nAdditionally, ensure that the skb in the tx cache always carries\nthe relevant extension.(CVE-2021-47370)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: iscsi: Fix iscsi_task use after free\r\n\r\nCommit d39df158518c (\"scsi: iscsi: Have abort handler get ref to conn\")\nadded iscsi_get_conn()/iscsi_put_conn() calls during abort handling but\nthen also changed the handling of the case where we detect an already\ncompleted task where we now end up doing a goto to the common put/cleanup\ncode. This results in a iscsi_task use after free, because the common\ncleanup code will do a put on the iscsi_task.\r\n\r\nThis reverts the goto and moves the iscsi_get_conn() to after we've checked\nif the iscsi_task is valid.(CVE-2021-47427)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix even more out of bound writes from debugfs\r\n\r\nCVE-2021-42327 was fixed by:\r\n\r\ncommit f23750b5b3d98653b31d4469592935ef6364ad67\nAuthor: Thelford Williams <tdwilliamsiv@gmail.com>\nDate:   Wed Oct 13 16:04:13 2021 -0400\r\n\r\n    drm/amdgpu: fix out of bounds write\r\n\r\nbut amdgpu_dm_debugfs.c contains more of the same issue so fix the\nremaining ones.\r\n\r\nv2:\n\t* Add missing fix in dp_max_bpc_write (Harry Wentland)(CVE-2021-47489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: TX zerocopy should not sense pfmemalloc status\r\n\r\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\r\n\r\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\r\n\r\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\r\n\r\nNote to stable teams :\r\n\r\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\r\n\r\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\r\n\r\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\r\n\r\nBackporting to older kernel versions seems not necessary.\r\n\r\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\r\n\r\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022(CVE-2022-48689)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring/af_unix: disable sending io_uring over sockets\r\n\r\nFile reference cycles have caused lots of problems for io_uring\nin the past, and it still doesn't work exactly right and races with\nunix_stream_read_generic(). The safest fix would be to completely\ndisallow sending io_uring files via sockets via SCM_RIGHT, so there\nare no possible cycles invloving registered files and thus rendering\nSCM accounting on the io_uring side unnecessary.(CVE-2023-52654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: s390/aes - Fix buffer overread in CTR mode\r\n\r\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left.  Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.(CVE-2023-52669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nriscv: Check if the code to patch lies in the exit section\r\n\r\nOtherwise we fall through to vmalloc_to_page() which panics since the\naddress does not lie in the vmalloc region.(CVE-2023-52677)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52696)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsysv: don't call sb_bread() with pointers_lock held\r\n\r\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\r\n\r\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\r\n\r\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\r\n\r\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).(CVE-2023-52699)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\r\n\r\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\r\n\r\nThis went unnoticed until commit:\r\n\r\n  34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\r\n\r\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\r\n\r\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\r\n\r\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n|  dump_backtrace+0xec/0x108\n|  show_stack+0x18/0x2c\n|  dump_stack_lvl+0x50/0x68\n|  dump_stack+0x18/0x24\n|  panic+0x13c/0x340\n|  el1t_64_irq_handler+0x0/0x1c\n|  el1_abort+0x0/0x5c\n|  el1h_64_sync+0x64/0x68\n|  __pi_strcmp+0x1c/0x150\n|  unflatten_dt_nodes+0x1e8/0x2d8\n|  __unflatten_device_tree+0x5c/0x15c\n|  unflatten_device_tree+0x38/0x50\n|  setup_arch+0x164/0x1e0\n|  start_kernel+0x64/0x38c\n|  __primary_switched+0xbc/0xc4\r\n\r\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.(CVE-2023-52750)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\r\n\r\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\r\n\r\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\r\n\r\n  [ 816.251274] general protection fault, probably for non-canonical\n  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n  ...\n  [  816.260138] Call Trace:\n  [  816.260329]  <TASK>\n  [  816.260499]  ? die_addr+0x36/0x90\n  [  816.260762]  ? exc_general_protection+0x1b3/0x410\n  [  816.261126]  ? asm_exc_general_protection+0x26/0x30\n  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]\n  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]\n  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n  [  816.262689]  ? seq_read_iter+0x379/0x470\n  [  816.262995]  seq_read_iter+0x118/0x470\n  [  816.263291]  proc_reg_read_iter+0x53/0x90\n  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f\n  [  816.263945]  vfs_read+0x201/0x350\n  [  816.264211]  ksys_read+0x75/0x100\n  [  816.264472]  do_syscall_64+0x3f/0x90\n  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n  [  816.265135] RIP: 0033:0x7fd5e669d381(CVE-2023-52752)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Avoid NULL dereference of timing generator\r\n\r\n[Why & How]\nCheck whether assigned timing generator is NULL or not before\naccessing its funcs to prevent NULL dereference.(CVE-2023-52753)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npwm: Fix double shift bug\r\n\r\nThese enums are passed to set/test_bit().  The set/test_bit() functions\ntake a bit number instead of a shifted value.  Passing a shifted value\nis a double shift bug like doing BIT(BIT(1)).  The double shift bug\ndoesn't cause a problem here because we are only checking 0 and 1 but\nif the value was 5 or above then it can lead to a buffer overflow.(CVE-2023-52756)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: ignore negated quota changes\r\n\r\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\r\n\r\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\r\n\r\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\r\n\r\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\r\n\r\ngfs2_quota_change\n   do_qc\n      qd_hold\n      slot_hold\r\n\r\nLater, when the changes are to be synced:\r\n\r\ngfs2_quota_sync\n   qd_fish\n      qd_check_sync\n         gets qd ref via lockref_get_not_dead\n   do_sync\n      do_qc(QC_SYNC)\n         qd_put\n\t    lockref_put_or_lock\n   qd_unlock\n      qd_put\n         lockref_put_or_lock\r\n\r\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.(CVE-2023-52759)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: protect device queue against concurrent access\r\n\r\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\r\n\r\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.(CVE-2023-52774)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: vcc: Add check for kstrdup() in vcc_probe()\r\n\r\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.(CVE-2023-52789)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvhost-vdpa: fix use after free in vhost_vdpa_probe()\r\n\r\nThe put_device() calls vhost_vdpa_release_dev() which calls\nida_simple_remove() and frees \"v\".  So this call to\nida_simple_remove() is a use after free and a double free.(CVE-2023-52795)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipvlan: add ipvlan_route_v6_outbound() helper\r\n\r\nInspired by syzbot reports using a stack of multiple ipvlan devices.\r\n\r\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\r\n\r\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\r\n\r\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\r\n\r\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n</#DF>\n<TASK>\n[<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline]\n[<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline]\n[<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]\n[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]\n[<f\n---truncated---(CVE-2023-52796)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath11k: fix dfs radar event locking\r\n\r\nThe ath11k active pdevs are protected by RCU but the DFS radar event\nhandling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\r\n\r\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\r\n\r\nCompile tested only.(CVE-2023-52798)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbFindLeaf\r\n\r\nCurrently while searching for dmtree_t for sufficient free blocks there\nis an array out of bounds while getting element in tp->dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.(CVE-2023-52799)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath11k: fix htt pktlog locking\r\n\r\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\r\n\r\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\r\n\r\nCompile tested only.(CVE-2023-52800)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe()\r\n\r\nof_match_device() may fail and returns a NULL pointer.\r\n\r\nIn practice there is no known reasonable way to trigger this, but\nin case one is added in future, harden the code by adding the check(CVE-2023-52802)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix potential null pointer derefernce\r\n\r\nThe amdgpu_ras_get_context may return NULL if device\nnot support ras feature, so add check before using.(CVE-2023-52814)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\r\n\r\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2023-52826)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpu/hotplug: Don't offline the last non-isolated CPU\r\n\r\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\r\n\r\ncpuset_hotplug_workfn()\n  rebuild_sched_domains_locked()\n    ndoms = generate_sched_domains(&doms, &attr);\n      cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\r\n\r\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\r\n\r\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\r\n\r\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\r\n\r\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\r\n\r\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.(CVE-2023-52831)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\r\n\r\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\r\n\r\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G        WC OE\n Call Trace:\n  dump_stack+0x74/0x92\n  ubsan_epilogue+0x9/0x50\n  handle_overflow+0x8d/0xd0\n  __ubsan_handle_mul_overflow+0xe/0x10\n  nl80211_send_iface+0x688/0x6b0 [cfg80211]\n  [...]\n  cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n  cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n  [...]\n  ieee80211_if_add+0x60e/0x8f0 [mac80211]\n  ieee80211_register_hw+0xda5/0x1170 [mac80211]\r\n\r\nIn this case, simply return an error instead, to indicate\nthat no data is available.(CVE-2023-52832)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nlocking/ww_mutex/test: Fix potential workqueue corruption\r\n\r\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\r\n\r\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\r\n\r\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\r\n\r\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\r\n\r\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\r\n\r\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.(CVE-2023-52836)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: imsttfb: fix a resource leak in probe\r\n\r\nI've re-written the error handling but the bug is that if init_imstt()\nfails we need to call iounmap(par->cmap_regs).(CVE-2023-52838)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nplatform/x86: wmi: Fix opening of char device\r\n\r\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\r\n\r\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.(CVE-2023-52864)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: qcom: llcc: Handle a second device without data corruption\r\n\r\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.(CVE-2023-52871)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\r\n\r\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.(CVE-2023-52878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix memory leak in dm_sw_fini()\r\n\r\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\r\n\r\nunreferenced object 0xffff896302b45800 (size 1024):\n  comm \"(udev-worker)\", pid 222, jiffies 4294894636\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 6265fd77):\n    [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340\n    [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n    [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu]\n    [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n    [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n    [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n    [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90\n    [<ffffffff996918a3>] pci_device_probe+0xc3/0x230\n    [<ffffffff99805872>] really_probe+0xe2/0x480\n    [<ffffffff99805c98>] __driver_probe_device+0x78/0x160\n    [<ffffffff99805daf>] driver_probe_device+0x1f/0x90\n    [<ffffffff9980601e>] __driver_attach+0xce/0x1c0\n    [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0\n    [<ffffffff99804822>] bus_add_driver+0x112/0x210\n    [<ffffffff99807245>] driver_register+0x55/0x100\n    [<ffffffff990012d1>] do_one_initcall+0x41/0x300\r\n\r\nFix this by freeing dmub_srv after destroying it.(CVE-2024-26833)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: xilinx - call finalize with bh disabled\r\n\r\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\r\n\r\n    ------------[ cut here ]------------\n    WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n    Modules linked in: cryptodev(O)\n    CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G           O       6.8.0-rc1-yocto-standard #323\n    Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n    pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : crypto_finalize_request+0xa0/0x118\n    lr : crypto_finalize_request+0x104/0x118\n    sp : ffffffc085353ce0\n    x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n    x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n    x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n    x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n    x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n    x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n    x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n    x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n    x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n    x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n    Call trace:\n     crypto_finalize_request+0xa0/0x118\n     crypto_finalize_aead_request+0x18/0x30\n     zynqmp_handle_aes_req+0xcc/0x388\n     crypto_pump_work+0x168/0x2d8\n     kthread_worker_fn+0xfc/0x3a0\n     kthread+0x118/0x138\n     ret_from_fork+0x10/0x20\n    irq event stamp: 40\n    hardirqs last  enabled at (39): [<ffffffc0812416f8>] _raw_spin_unlock_irqrestore+0x70/0xb0\n    hardirqs last disabled at (40): [<ffffffc08122d208>] el1_dbg+0x28/0x90\n    softirqs last  enabled at (36): [<ffffffc080017dec>] kernel_neon_begin+0x8c/0xf0\n    softirqs last disabled at (34): [<ffffffc080017dc0>] kernel_neon_begin+0x60/0xf0\n    ---[ end trace 0000000000000000 ]---(CVE-2024-26877)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: core: Fix deadlock in usb_deauthorize_interface()\r\n\r\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\r\n\r\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected.  As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete.  But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\r\n\r\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\r\n\r\nReported-and-tested by: Yue Sun <samsun1006219@gmail.com>\nReported by: xingwei lee <xrivendell7@gmail.com>(CVE-2024-26934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\r\n\r\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.(CVE-2024-27020)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\r\n\r\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\r\n\r\n[  472.074580] ==================================================================\n[  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[  472.075308]\n[  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.075308] Workqueue: events l2cap_chan_timeout\n[  472.075308] Call Trace:\n[  472.075308]  <TASK>\n[  472.075308]  dump_stack_lvl+0x137/0x1a0\n[  472.075308]  print_report+0x101/0x250\n[  472.075308]  ? __virt_addr_valid+0x77/0x160\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_report+0x139/0x170\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_check_range+0x2c3/0x2e0\n[  472.075308]  mutex_lock+0x68/0xc0\n[  472.075308]  l2cap_chan_timeout+0x181/0x300\n[  472.075308]  process_one_work+0x5d2/0xe00\n[  472.075308]  worker_thread+0xe1d/0x1660\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  kthread+0x2b7/0x350\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork+0x4d/0x80\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork_asm+0x11/0x20\n[  472.075308]  </TASK>\n[  472.075308] ==================================================================\n[  472.094860] Disabling lock debugging due to kernel taint\n[  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[  472.096136] #PF: supervisor write access in kernel mode\n[  472.096136] #PF: error_code(0x0002) - not-present page\n[  472.096136] PGD 0 P4D 0\n[  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36\n[  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.096136] Workqueue: events l2cap_chan_timeout\n[  472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[  472.096136] Call Trace:\n[  472.096136]  <TASK>\n[  472.096136]  ? __die_body+0x8d/0xe0\n[  472.096136]  ? page_fault_oops+0x6b8/0x9a0\n[  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[  472.096136]  ? do_user_addr_fault+0x1027/0x1340\n[  472.096136]  ? _printk+0x7a/0xa0\n[  472.096136]  ? mutex_lock+0x68/0xc0\n[  472.096136]  ? add_taint+0x42/0xd0\n[  472.096136]  ? exc_page_fault+0x6a/0x1b0\n[  472.096136]  ? asm_exc_page_fault+0x26/0x30\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  ? mutex_lock+0x88/0xc0\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  l2cap_chan_timeo\n---truncated---(CVE-2024-27399)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\r\n\r\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.(CVE-2024-27401)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi/capsule-loader: fix incorrect allocation size\r\n\r\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\r\n\r\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n  295 |         cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n      |                        ^\r\n\r\nUse the correct type instead here.(CVE-2024-27413)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: bridge: confirm multicast packets before passing them up the stack\r\n\r\nconntrack nf_confirm logic cannot handle cloned skbs referencing\nthe same nf_conn entry, which will happen for multicast (broadcast)\nframes on bridges.\r\n\r\n Example:\n    macvlan0\n       |\n      br0\n     /  \\\n  ethX    ethY\r\n\r\n ethX (or Y) receives a L2 multicast or broadcast packet containing\n an IP packet, flow is not yet in conntrack table.\r\n\r\n 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.\n    -> skb->_nfct now references a unconfirmed entry\n 2. skb is broad/mcast packet. bridge now passes clones out on each bridge\n    interface.\n 3. skb gets passed up the stack.\n 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb\n    and schedules a work queue to send them out on the lower devices.\r\n\r\n    The clone skb->_nfct is not a copy, it is the same entry as the\n    original skb.  The macvlan rx handler then returns RX_HANDLER_PASS.\n 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.\r\n\r\nThe Macvlan broadcast worker and normal confirm path will race.\r\n\r\nThis race will not happen if step 2 already confirmed a clone. In that\ncase later steps perform skb_clone() with skb->_nfct already confirmed (in\nhash table).  This works fine.\r\n\r\nBut such confirmation won't happen when eb/ip/nftables rules dropped the\npackets before they reached the nf_confirm step in postrouting.\r\n\r\nPablo points out that nf_conntrack_bridge doesn't allow use of stateful\nnat, so we can safely discard the nf_conn entry and let inet call\nconntrack again.\r\n\r\nThis doesn't work for bridge netfilter: skb could have a nat\ntransformation. Also bridge nf prevents re-invocation of inet prerouting\nvia 'sabotage_in' hook.\r\n\r\nWork around this problem by explicit confirmation of the entry at LOCAL_IN\ntime, before upper layer has a chance to clone the unconfirmed entry.\r\n\r\nThe downside is that this disables NAT and conntrack helpers.\r\n\r\nAlternative fix would be to add locking to all code parts that deal with\nunconfirmed packets, but even if that could be done in a sane way this\nopens up other problems, for example:\r\n\r\n-m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4\n-m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5\r\n\r\nFor multicast case, only one of such conflicting mappings will be\ncreated, conntrack only handles 1:1 NAT mappings.\r\n\r\nUsers should set create a setup that explicitly marks such traffic\nNOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass\nthem, ruleset might have accept rules for untracked traffic already,\nso user-visible behaviour would change.(CVE-2024-27415)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\r\n\r\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.(CVE-2024-35789)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd/dm-raid: don't call md_reap_sync_thread() directly\r\n\r\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\r\n\r\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\r\n\r\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.(CVE-2024-35808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: udc: remove warning when queue disabled ep\r\n\r\nIt is possible trigger below warning message from mass storage function,\r\n\r\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\r\n\r\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\r\n\r\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().(CVE-2024-35822)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvt: fix unicode buffer corruption when deleting characters\r\n\r\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.(CVE-2024-35823)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\r\n\r\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()(CVE-2024-35840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\r\n\r\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\r\n\r\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\r\n\r\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\r\n\r\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n </TASK>\r\n\r\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\r\n\r\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30(CVE-2024-35855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/mm/pat: fix VM_PAT handling in COW mappings\r\n\r\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios.  Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\r\n\r\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\r\n\r\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\r\n\r\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\r\n\r\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode.  We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\r\n\r\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\r\n\r\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\r\n\r\n<--- C reproducer --->\n #include <stdio.h>\n #include <sys/mman.h>\n #include <unistd.h>\n #include <liburing.h>\r\n\r\n int main(void)\n {\n         struct io_uring_params p = {};\n         int ring_fd;\n         size_t size;\n         char *map;\r\n\r\n         ring_fd = io_uring_setup(1, &p);\n         if (ring_fd < 0) {\n                 perror(\"io_uring_setup\");\n                 return 1;\n         }\n         size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\r\n\r\n         /* Map the submission queue ring MAP_PRIVATE */\n         map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n                    ring_fd, IORING_OFF_SQ_RING);\n         if (map == MAP_FAILED) {\n                 perror(\"mmap\");\n                 return 1;\n         }\r\n\r\n         /* We have at least one page. Let's COW it. */\n         *map = 0;\n         pause();\n         return 0;\n }\n<--- C reproducer --->\r\n\r\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[  301.552930] ------------[ cut here ]------------\n[  301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[  301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[  301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[  301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[  301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[  301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[  301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[  301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[  301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[  301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[  301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[  301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[  301.564186] FS:  0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[  301.564773] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[  301.565725] PKRU: 55555554\n[  301.565944] Call Trace:\n[  301.566148]  <TASK>\n[  301.566325]  ? untrack_pfn+0xf4/0x100\n[  301.566618]  ? __warn+0x81/0x130\n[  301.566876]  ? untrack_pfn+0xf4/0x100\n[  3\n---truncated---(CVE-2024-35877)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: reject new basechain after table flag update\r\n\r\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\r\n\r\nThe following configuration allows for an inconsistent state:\r\n\r\n  add table x\n  add chain x y { type filter hook input priority 0; }\n  add table x { flags dormant; }\n  add chain x w { type filter hook input priority 1; }\r\n\r\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\r\n\r\n[  127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50                                                                     1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[  127.322519] Call Trace:\n[  127.322521]  <TASK>\n[  127.322524]  ? __warn+0x9f/0x1a0\n[  127.322531]  ? __nf_unregister_net_hook+0x21a/0x260\n[  127.322537]  ? report_bug+0x1b1/0x1e0\n[  127.322545]  ? handle_bug+0x3c/0x70\n[  127.322552]  ? exc_invalid_op+0x17/0x40\n[  127.322556]  ? asm_exc_invalid_op+0x1a/0x20\n[  127.322563]  ? kasan_save_free_info+0x3b/0x60\n[  127.322570]  ? __nf_unregister_net_hook+0x6a/0x260\n[  127.322577]  ? __nf_unregister_net_hook+0x21a/0x260\n[  127.322583]  ? __nf_unregister_net_hook+0x6a/0x260\n[  127.322590]  ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[  127.322655]  nft_table_disable+0x75/0xf0 [nf_tables]\n[  127.322717]  nf_tables_commit+0x2571/0x2620 [nf_tables](CVE-2024-35900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nselinux: avoid dereference of garbage after mount failure\r\n\r\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\r\n\r\nWhile on it drop the never read static variable selinuxfs_mount.(CVE-2024-35904)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: prevent division by zero in blk_rq_stat_sum()\r\n\r\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35925)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-direct: Leak pages on dma_set_decrypted() failure\r\n\r\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\r\n\r\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.(CVE-2024-35939)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\r\n\r\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.(CVE-2024-35950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\r\n\r\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\r\n\r\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\r\n\r\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\r\n\r\n1. any failure before record_root_in_trans is called successfully\n   results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n   transaction owns freeing the reservation.\r\n\r\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.(CVE-2024-35956)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ena: Fix incorrect descriptor free behavior\r\n\r\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n  or XDP_TX instructions\r\n\r\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\r\n\r\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.(CVE-2024-35958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Properly link new fs rules into the tree\r\n\r\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\r\n\r\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n   again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\r\n\r\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\r\n\r\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.(CVE-2024-35960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix memory leak in hci_req_sync_complete()\r\n\r\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.(CVE-2024-35978)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\r\n\r\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\r\n\r\n    BUG: unable to handle page fault for address: 000000000002a2b8\n    #PF: supervisor write access in kernel mode\n    #PF: error_code(0x0002) - not-present page\n    PGD 1470e1067 P4D 0\n    Oops: 0002 [#1] PREEMPT SMP NOPTI\n    CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n    Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n    RIP: 0010:mutex_lock+0x2e/0x50\n    ...\n    Call Trace:\n    <TASK>\n    __die+0x24/0x70\n    page_fault_oops+0x82/0x160\n    do_user_addr_fault+0x65/0x6b0\n    __pfx___rdmsr_safe_on_cpu+0x10/0x10\n    exc_page_fault+0x7d/0x170\n    asm_exc_page_fault+0x26/0x30\n    mutex_lock+0x2e/0x50\n    mutex_lock+0x1e/0x50\n    perf_pmu_migrate_context+0x87/0x1f0\n    perf_event_cpu_offline+0x76/0x90 [idxd]\n    cpuhp_invoke_callback+0xa2/0x4f0\n    __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n    cpuhp_thread_fun+0x98/0x150\n    smpboot_thread_fn+0x27/0x260\n    smpboot_thread_fn+0x1af/0x260\n    __pfx_smpboot_thread_fn+0x10/0x10\n    kthread+0x103/0x140\n    __pfx_kthread+0x10/0x10\n    ret_from_fork+0x31/0x50\n    __pfx_kthread+0x10/0x10\n    ret_from_fork_asm+0x1b/0x30\n    <TASK>\r\n\r\nFix the issue by preventing the migration of the perf context to an\ninvalid target.(CVE-2024-35989)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\r\n\r\nThere is a recent report on UFFDIO_COPY over hugetlb:\r\n\r\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\r\n\r\n350:\tlockdep_assert_held(&hugetlb_lock);\r\n\r\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether.  Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.(CVE-2024-36000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\r\n\r\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\r\n\r\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\r\n\r\n[Feb 9 09:08] ------------[ cut here ]------------\n[  +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[  +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[  +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[  +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[  +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[  +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[  +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[  +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[  +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[  +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[  +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[  +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[  +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[  +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[  +0.000001] FS:  0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[  +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[  +0.000001] PKRU: 55555554\n[  +0.000001] Call Trace:\n[  +0.000001]  <TASK>\n[  +0.000002]  ? __warn+0x80/0x130\n[  +0.000003]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  ? report_bug+0x195/0x1a0\n[  +0.000005]  ? handle_bug+0x3c/0x70\n[  +0.000003]  ? exc_invalid_op+0x14/0x70\n[  +0.000002]  ? asm_exc_invalid_op+0x16/0x20\n[  +0.000006]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  __flush_workqueue+0x126/0x3f0\n[  +0.000015]  ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[  +0.000056]  __ib_unregister_device+0x6a/0xb0 [ib_core]\n[  +0.000023]  ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[  +0.000020]  i40iw_close+0x4b/0x90 [irdma]\n[  +0.000022]  i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[  +0.000035]  i40e_service_task+0x126/0x190 [i40e]\n[  +0.000024]  process_one_work+0x174/0x340\n[  +0.000003]  worker_th\n---truncated---(CVE-2024-36004)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\r\n\r\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\r\n\r\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\r\n\r\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\r\n\r\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\r\n\r\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G        W          6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n </TASK>(CVE-2024-36007)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppdev: Add an error check in register_device\r\n\r\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\r\n\r\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.(CVE-2024-36015)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: core: delete incorrect free in pinctrl_enable()\r\n\r\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\r\n\r\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.(CVE-2024-36940)",
+    "cves": [
+      {
+        "id": "CVE-2023-52795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52795",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36940",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1369": {
+    "id": "openEuler-SA-2024-1369",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1369",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nIf an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.(CVE-2022-1802)",
+    "cves": [
+      {
+        "id": "CVE-2022-1802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1802",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1017": {
+    "id": "openEuler-SA-2023-1017",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1017",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nSince the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).(CVE-2022-45141)",
+    "cves": [
+      {
+        "id": "CVE-2022-45141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1339": {
+    "id": "openEuler-SA-2021-1339",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1339",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nThere's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.(CVE-2021-3605)",
+    "cves": [
+      {
+        "id": "CVE-2021-3605",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3605",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1274": {
+    "id": "openEuler-SA-2024-1274",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1274",
+    "title": "An update for A-Tune-Collector is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A-Tune-Collector is used to collect various system resources.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the get method in the sched.py file in the A-Tune-Collector software package is used to obtain the process ID, shell command combination and injection risks exist. This flaw could lead to remote arbitrary command execution.(CVE-2024-24897)",
+    "cves": [
+      {
+        "id": "CVE-2024-24897",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1334": {
+    "id": "openEuler-SA-2021-1334",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1334",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2021-2388)\r\n\r\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2021-2369)\r\n\r\nVulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2021-2341)",
+    "cves": [
+      {
+        "id": "CVE-2021-2341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2341",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1722": {
+    "id": "openEuler-SA-2022-1722",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1722",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the `driver->nwfilters` mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the `driver->nwfilters` object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).(CVE-2022-0897)",
+    "cves": [
+      {
+        "id": "CVE-2022-0897",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0897",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1965": {
+    "id": "openEuler-SA-2023-1965",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1965",
+    "title": "An update for jettison is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nThose using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40149)\r\n\r\nThose using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.(CVE-2022-40150)\r\n\r\nA stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.(CVE-2022-45685)\r\n\r\nJettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.(CVE-2022-45693)\r\n\r\nAn infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\r\n\r\n(CVE-2023-1436)",
+    "cves": [
+      {
+        "id": "CVE-2023-1436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1747": {
+    "id": "openEuler-SA-2024-1747",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1747",
+    "title": "An update for mozjs78 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "SpiderMonkey is the code-name for Mozilla Firefox's C++ implementation of JavaScript. It is intended to be embedded in other applications that provide host environments for JavaScript.\r\n\r\nSecurity Fix(es):\r\n\r\nA local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.\r\n\r\n*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.\r\n\r\n(CVE-2023-29532)",
+    "cves": [
+      {
+        "id": "CVE-2023-29532",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29532",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1534": {
+    "id": "openEuler-SA-2023-1534",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1534",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "his libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\n\nSecurity Fix(es):\n\nA flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.(CVE-2023-3618)",
+    "cves": [
+      {
+        "id": "CVE-2023-3618",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3618",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1500": {
+    "id": "openEuler-SA-2023-1500",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1500",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1882": {
+    "id": "openEuler-SA-2023-1882",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1882",
+    "title": "An update for apache-commons-net is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Apache Commons Net library contains a collection of network utilities and protocol implementations. Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois\r\n\r\nSecurity Fix(es):\r\n\r\nPrior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.(CVE-2021-37533)",
+    "cves": [
+      {
+        "id": "CVE-2021-37533",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1228": {
+    "id": "openEuler-SA-2023-1228",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1228",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea(CVE-2023-1611)\r\n\r\nA flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1670)\r\n\r\nA use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.(CVE-2023-1859)\n\nA race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.(CVE-2023-1582)\n\nA double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-4744)",
+    "cves": [
+      {
+        "id": "CVE-2022-4744",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4744",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1150": {
+    "id": "openEuler-SA-2023-1150",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1150",
+    "title": "An update for libreswan is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN. This package contains the daemons and userland tools for setting up Libreswan. Libreswan also supports IKEv2 (RFC7296) and Secure Labeling Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04\n\r\nSecurity Fix(es):\r\n\r\nLibreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length.(CVE-2023-23009)",
+    "cves": [
+      {
+        "id": "CVE-2023-23009",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23009",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2051": {
+    "id": "openEuler-SA-2022-2051",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2051",
+    "title": "An update for dbus is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.(CVE-2022-42010)\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.(CVE-2022-42011)\r\n\r\nAn issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.(CVE-2022-42012)",
+    "cves": [
+      {
+        "id": "CVE-2022-42012",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1591": {
+    "id": "openEuler-SA-2023-1591",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1591",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nExtremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.(CVE-2023-29409)",
+    "cves": [
+      {
+        "id": "CVE-2023-29409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1962": {
+    "id": "openEuler-SA-2023-1962",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1962",
+    "title": "An update for curl is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n(CVE-2023-46219)",
+    "cves": [
+      {
+        "id": "CVE-2023-46219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46219",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1479": {
+    "id": "openEuler-SA-2023-1479",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1479",
+    "title": "An update for python-pygments is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.(CVE-2022-40896)",
+    "cves": [
+      {
+        "id": "CVE-2022-40896",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40896",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1424": {
+    "id": "openEuler-SA-2021-1424",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1424",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.(CVE-2021-41160)",
+    "cves": [
+      {
+        "id": "CVE-2021-41160",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41160",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1462": {
+    "id": "openEuler-SA-2021-1462",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1462",
+    "title": "An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Java logging package.\r\n\r\nSecurity Fix(es):\r\n\r\nThe details of a high-risk vulnerability in Apache Log4j2 have been disclosed. Attackers can use the vulnerability to execute code remotely. Some reports carry suspected POC; Apache Log4j2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces a large number of rich features. The log framework is widely used in business system development to record log information. In most cases, developers may write error messages caused by user input into the log. The trigger condition of this vulnerability is that as long as the data input by external users will be recorded in the log, it can cause remote code execution.(CVE-2021-44228)",
+    "cves": [
+      {
+        "id": "CVE-2021-44228",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1701": {
+    "id": "openEuler-SA-2023-1701",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1701",
+    "title": "An update for dsoftbus is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in coap_send function in libcoap library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to obtain sensitive information via malformed pdu.(CVE-2023-30362)",
+    "cves": [
+      {
+        "id": "CVE-2023-30362",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30362",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1619": {
+    "id": "openEuler-SA-2022-1619",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1619",
+    "title": "An update for mariadb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon (mariadbd) and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nMariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.(CVE-2022-24052)",
+    "cves": [
+      {
+        "id": "CVE-2022-24052",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24052",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1601": {
+    "id": "openEuler-SA-2024-1601",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1601",
+    "title": "An update for youker-assistant is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Integrated tool to aid in routine system maintenance tasks Kylin Assistant is a tool designed to help Ubuntu and Ubuntu Kylin desktop users manage and maintain many aspects of their working environment conveniently in a single application, providing a consistent user experience.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS. Affected by this vulnerability is the function adjust_cpufreq_scaling_governer. The manipulation leads to os command injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.4.13 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226099.(CVE-2023-2091)",
+    "cves": [
+      {
+        "id": "CVE-2023-2091",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2091",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1877": {
+    "id": "openEuler-SA-2023-1877",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1877",
+    "title": "An update for qt is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.(CVE-2023-38197)\r\n\r\nAn issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.(CVE-2023-43114)",
+    "cves": [
+      {
+        "id": "CVE-2023-43114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1770": {
+    "id": "openEuler-SA-2023-1770",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1770",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.(CVE-2023-45862)",
+    "cves": [
+      {
+        "id": "CVE-2023-45862",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45862",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1511": {
+    "id": "openEuler-SA-2022-1511",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1511",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "An XML parser library.\r\n\r\nSecurity Fix(es):\r\n\r\nExpat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.(CVE-2022-23852)\r\n\r\nExpat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.(CVE-2022-23990)",
+    "cves": [
+      {
+        "id": "CVE-2022-23990",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1123": {
+    "id": "openEuler-SA-2021-1123",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1123",
+    "title": "An update for podman is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-20188)",
+    "cves": [
+      {
+        "id": "CVE-2021-20188",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20188",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1575": {
+    "id": "openEuler-SA-2022-1575",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1575",
+    "title": "An update for postgresql is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.(CVE-2021-23214)\r\n\r\nA man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.(CVE-2021-23222)",
+    "cves": [
+      {
+        "id": "CVE-2021-23222",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23222",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1208": {
+    "id": "openEuler-SA-2024-1208",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1208",
+    "title": "An update for jss is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "JSS offers a implementation for java-based applications to use native NSS.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.(CVE-2021-4213)",
+    "cves": [
+      {
+        "id": "CVE-2021-4213",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4213",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1130": {
+    "id": "openEuler-SA-2024-1130",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1130",
+    "title": "An update for pam is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "PAM (Pluggable Authentication Modules) is a system of libraries that handle the authentication tasks of applications (services) on the system.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Linux PAM. An unprivileged user that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir can place a FIFO there, and a subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block the attempt, causing a local denial of service.(CVE-2024-22365)",
+    "cves": [
+      {
+        "id": "CVE-2024-22365",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1089": {
+    "id": "openEuler-SA-2021-1089",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1089",
+    "title": "An update for python-cryptography is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.(CVE-2020-36242)",
+    "cves": [
+      {
+        "id": "CVE-2020-36242",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36242",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1245": {
+    "id": "openEuler-SA-2021-1245",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1245",
+    "title": "An update for lz4 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "LZ4 is lossless compression algorithm, providing compression speed > 500 MB/s per core (>0.15 Bytes/cycle). It features an extremely fast decoder, with speed in multiple GB/s per core (~1 Byte/cycle). A high compression derivative, called LZ4_HC, is available, trading customizable CPU time for compression ratio.\r\n\r\nSecurity Fix(es):\r\n\r\nThere s a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.(CVE-2021-3520)",
+    "cves": [
+      {
+        "id": "CVE-2021-3520",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3520",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2052": {
+    "id": "openEuler-SA-2022-2052",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2052",
+    "title": "An update for nodejs-getobject is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Get and set deep objects easily.\r\n\r\nSecurity Fix(es):\r\n\r\nPrototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.(CVE-2020-28282)",
+    "cves": [
+      {
+        "id": "CVE-2020-28282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1604": {
+    "id": "openEuler-SA-2022-1604",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1604",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nst21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.(CVE-2022-26490)\r\n\r\nA memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.(CVE-2022-0854)\r\n\r\n** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-27666. Reason: This candidate is a reservation duplicate of CVE-2022-27666. Notes: All CVE users should reference CVE-2022-27666 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2022-0886)\r\n\r\nA kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.(CVE-2022-0494)",
+    "cves": [
+      {
+        "id": "CVE-2022-0494",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0494",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1706": {
+    "id": "openEuler-SA-2022-1706",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1706",
+    "title": "An update for libpq is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\r\n\r\nSecurity Fix(es):\r\n\nA flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.(CVE-2021-3677)\n\r\nA man-in-the-middle attacker can inject false responses to the client s first few queries, despite the use of SSL certificate verification and encryption.(CVE-2021-23222)\r\n\r\nA flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-32028)",
+    "cves": [
+      {
+        "id": "CVE-2021-3677",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3677",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1315": {
+    "id": "openEuler-SA-2023-1315",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1315",
+    "title": "An update for cups-filters is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This project provides backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc. In addition it contains additional filters and software developed independently of Apple, especially filters for the PDF-centric printing workflow introduced by OpenPrinting and a daemon to browse Bonjour broadcasts of remote CUPS printers to make these printers available locally and to provide backward compatibility to the old CUPS broadcasting and browsing of CUPS 1.5.x and older.\r\n\r\nSecurity Fix(es):\r\n\r\ncups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime.(CVE-2023-24805)",
+    "cves": [
+      {
+        "id": "CVE-2023-24805",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24805",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1924": {
+    "id": "openEuler-SA-2022-1924",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1924",
+    "title": "An update for linux-sgx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification.\r\n\r\nSecurity Fix(es):\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)",
+    "cves": [
+      {
+        "id": "CVE-2022-0778",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1735": {
+    "id": "openEuler-SA-2024-1735",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1735",
+    "title": "An update for nano is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "Nano is now part of Apache CouchDB.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.(CVE-2024-5742)",
+    "cves": [
+      {
+        "id": "CVE-2024-5742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1709": {
+    "id": "openEuler-SA-2023-1709",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1709",
+    "title": "An update for gstreamer1-plugins-bad-free is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "GStreamer is a pipeline-based multi media framework that links together a wide variety of media processing systems to complete complex workflows, based on graphs of filters which operate on media data. This package contains plug-ins that are not tested well enough yet, or the code is not of good enough quality.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-40474: gstreamer-plugins-bad: GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability(CVE-2023-40474)\r\n\r\nVUL-0: CVE-2023-40475: gstreamer-plugins-bad: GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability(CVE-2023-40475)\r\n\r\nVUL-0: CVE-2023-40476: gstreamer-plugins-bad: GStreamer H265 Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability(CVE-2023-40476)",
+    "cves": [
+      {
+        "id": "CVE-2023-40476",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40476",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1510": {
+    "id": "openEuler-SA-2023-1510",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1510",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.(CVE-2023-3772)",
+    "cves": [
+      {
+        "id": "CVE-2023-3772",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3772",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1989": {
+    "id": "openEuler-SA-2023-1989",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1989",
+    "title": "An update for hdf5 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433)\r\n\r\nReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809)",
+    "cves": [
+      {
+        "id": "CVE-2020-10809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1364": {
+    "id": "openEuler-SA-2021-1364",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1364",
+    "title": "An update for wpa_supplicant is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop/laptop computers and embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.\r\n\r\nSecurity Fix(es):\r\n\r\nIn p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525(CVE-2021-0326)",
+    "cves": [
+      {
+        "id": "CVE-2021-0326",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0326",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1142": {
+    "id": "openEuler-SA-2021-1142",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1142",
+    "title": "An update for libupnp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Universal Plug and Play (UPnP) SDK for Linux provides  support for building UPnP-compliant control points, devices,  and bridges on Linux.\r\n\r\nSecurity Fix(es):\r\n\r\nPortable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.(CVE-2020-13848)",
+    "cves": [
+      {
+        "id": "CVE-2020-13848",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13848",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1084": {
+    "id": "openEuler-SA-2024-1084",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1084",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer (\"skb\"). This flaw allows a local user to cause a denial of service condition or potential code execution.(CVE-2023-51779)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.(CVE-2023-51780)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.(CVE-2023-51781)",
+    "cves": [
+      {
+        "id": "CVE-2023-51781",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51781",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1822": {
+    "id": "openEuler-SA-2022-1822",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1822",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures.The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.(CVE-2022-2509)",
+    "cves": [
+      {
+        "id": "CVE-2022-2509",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2509",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1874": {
+    "id": "openEuler-SA-2024-1874",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1874",
+    "title": "An update for ffmpeg is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.(CVE-2023-49528)\r\n\r\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
+    "cves": [
+      {
+        "id": "CVE-2024-32230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1258": {
+    "id": "openEuler-SA-2024-1258",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1258",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\r\n\r\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)",
+    "cves": [
+      {
+        "id": "CVE-2024-26595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1248": {
+    "id": "openEuler-SA-2023-1248",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1248",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.(CVE-2023-0922)",
+    "cves": [
+      {
+        "id": "CVE-2023-0922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0922",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1167": {
+    "id": "openEuler-SA-2023-1167",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1167",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system.\r\n\r\nSecurity Fix(es):\r\n\r\nsystemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the \"systemctl status\" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.(CVE-2023-26604)",
+    "cves": [
+      {
+        "id": "CVE-2023-26604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26604",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2066": {
+    "id": "openEuler-SA-2022-2066",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2066",
+    "title": "An update for xstream is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design,making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor.Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.\r\n\r\nSecurity Fix(es):\r\n\r\nXStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.(CVE-2021-43859)",
+    "cves": [
+      {
+        "id": "CVE-2021-43859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43859",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1191": {
+    "id": "openEuler-SA-2023-1191",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1191",
+    "title": "An update for liblouis is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Liblouis software suite provides an open-source braille translator, back-translator and formatter for a large number of languages and braille codes. It is a set of libraries designed for use in any of a number of applications, both free and commercial. It is written in C so that it does not require a runtime environment and hence can be used in applications written in high-level languages such as Java and Python.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0 allows a remote attacker to cause a denial of service via the resolveSubtable function at compileTranslationTabel.c.(CVE-2023-26769)",
+    "cves": [
+      {
+        "id": "CVE-2023-26769",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26769",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1020": {
+    "id": "openEuler-SA-2021-1020",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1020",
+    "title": "An update for squid is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nAn issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while its being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack wont overflow.(CVE-2019-12519)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-12519",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12519",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1502": {
+    "id": "openEuler-SA-2024-1502",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1502",
+    "title": "An update for less is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Less is a pager. A pager is a program that displays text files. Other pagers commonly in use are more and pg. Pagers are often used in command-line environments like the Unix shell and the MS-DOS command prompt to display files.\r\n\r\nSecurity Fix(es):\r\n\r\nless through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.(CVE-2024-32487)",
+    "cves": [
+      {
+        "id": "CVE-2024-32487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1086": {
+    "id": "openEuler-SA-2024-1086",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1086",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer (\"skb\"). This flaw allows a local user to cause a denial of service condition or potential code execution.(CVE-2023-51779)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.(CVE-2023-51780)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.(CVE-2023-51781)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.(CVE-2023-51782)\r\n\r\nAn out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121)",
+    "cves": [
+      {
+        "id": "CVE-2023-6121",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1849": {
+    "id": "openEuler-SA-2023-1849",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1849",
+    "title": "An update for shadow is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Tools for managing accounts and shadow password files.\r\n\r\nSecurity Fix(es):\r\n\r\nshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees(CVE-2013-4235)",
+    "cves": [
+      {
+        "id": "CVE-2013-4235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1348": {
+    "id": "openEuler-SA-2021-1348",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1348",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.(CVE-2021-3713)",
+    "cves": [
+      {
+        "id": "CVE-2021-3713",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3713",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1761": {
+    "id": "openEuler-SA-2023-1761",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1761",
+    "title": "An update for ceph is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in rgw. This flaw allows an unprivileged user to write to any bucket(s) accessible by a given key if a POST's form-data contains a key called 'bucket' with a value matching the bucket's name used to sign the request. This issue results in a user being able to upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in the said POST form part.(CVE-2023-43040)",
+    "cves": [
+      {
+        "id": "CVE-2023-43040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43040",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1748": {
+    "id": "openEuler-SA-2022-1748",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1748",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nUsing the ioctl function to modify the vc_font.height value through PIO_FONT can cause the KASAN: vmalloc-out-of-bounds in sys_imageblit problem. Requires tty group permissions to access the device file /dev/tty1.(CVE-2021-33656)",
+    "cves": [
+      {
+        "id": "CVE-2021-33656",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33656",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1556": {
+    "id": "openEuler-SA-2023-1556",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1556",
+    "title": "An update for krb5 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.(CVE-2023-36054)",
+    "cves": [
+      {
+        "id": "CVE-2023-36054",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1172": {
+    "id": "openEuler-SA-2023-1172",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1172",
+    "title": "An update for sudo is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nSudo before 1.9.13p2 has a double free in the per-command chroot feature.(CVE-2023-27320)",
+    "cves": [
+      {
+        "id": "CVE-2023-27320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27320",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1578": {
+    "id": "openEuler-SA-2023-1578",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1578",
+    "title": "An update for postgresql is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nIN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)",
+    "cves": [
+      {
+        "id": "CVE-2023-39417",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1158": {
+    "id": "openEuler-SA-2021-1158",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1158",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters.(CVE-2019-18281)",
+    "cves": [
+      {
+        "id": "CVE-2019-18281",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18281",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1318": {
+    "id": "openEuler-SA-2023-1318",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1318",
+    "title": "An update for libreswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN. This package contains the daemons and userland tools for setting up Libreswan. Libreswan also supports IKEv2 (RFC7296) and Secure Labeling Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04\n\r\n\r\nSecurity Fix(es):\r\n\r\npluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28.(CVE-2023-30570)",
+    "cves": [
+      {
+        "id": "CVE-2023-30570",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30570",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1746": {
+    "id": "openEuler-SA-2022-1746",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1746",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\ndrivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.(CVE-2022-33981)\r\n\r\nA vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.(CVE-2022-2078)\n\nNo description is available for this CVE.(CVE-2022-2153)",
+    "cves": [
+      {
+        "id": "CVE-2022-2153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2153",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1801": {
+    "id": "openEuler-SA-2022-1801",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1801",
+    "title": "An update for fwupd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "aims to make updating firmware on Linux automatic, safe and reliable.\r\n\r\nSecurity Fix(es):\r\n\r\nA PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.(CVE-2020-10759)",
+    "cves": [
+      {
+        "id": "CVE-2020-10759",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10759",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1380": {
+    "id": "openEuler-SA-2024-1380",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1380",
+    "title": "An update for cri-tools is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "CLI and validation tools for Container Runtime Interface\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)\r\n\r\nThe protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.(CVE-2024-24786)",
+    "cves": [
+      {
+        "id": "CVE-2024-24786",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1825": {
+    "id": "openEuler-SA-2023-1825",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1825",
+    "title": "An update for gdb is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.(CVE-2023-39129)",
+    "cves": [
+      {
+        "id": "CVE-2023-39129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1325": {
+    "id": "openEuler-SA-2024-1325",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1325",
+    "title": "An update for bind is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers.\nThis issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-4408)\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nA flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when:\r\n\r\n  - `nxdomain-redirect <domain>;` is configured, and\n  - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response.\nThis issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5517)\r\n\r\nA bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5679)\r\n\r\nTo keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.(CVE-2023-6516)",
+    "cves": [
+      {
+        "id": "CVE-2023-6516",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6516",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1213": {
+    "id": "openEuler-SA-2024-1213",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1213",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.(CVE-2022-3479)",
+    "cves": [
+      {
+        "id": "CVE-2022-3479",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3479",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1725": {
+    "id": "openEuler-SA-2023-1725",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1725",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.(CVE-2023-4911)",
+    "cves": [
+      {
+        "id": "CVE-2023-4911",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1480": {
+    "id": "openEuler-SA-2021-1480",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1480",
+    "title": "An update for rubygem-bundler is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Library and utilities to manage a Ruby application's gem dependencies.\r\n\r\nSecurity Fix(es):\r\n\r\n`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be False. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.(CVE-2021-43809)",
+    "cves": [
+      {
+        "id": "CVE-2021-43809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43809",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1027": {
+    "id": "openEuler-SA-2023-1027",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1027",
+    "title": "An update for systemd is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system. \r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.(CVE-2022-4415)",
+    "cves": [
+      {
+        "id": "CVE-2022-4415",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1665": {
+    "id": "openEuler-SA-2024-1665",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1665",
+    "title": "An update for giflib is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633)",
+    "cves": [
+      {
+        "id": "CVE-2021-40633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1143": {
+    "id": "openEuler-SA-2024-1143",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1143",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.(CVE-2023-51043)\r\n\r\nA use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.(CVE-2023-6531)\r\n\r\nA Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.(CVE-2023-6915)",
+    "cves": [
+      {
+        "id": "CVE-2023-6915",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1018": {
+    "id": "openEuler-SA-2021-1018",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1018",
+    "title": "An update for php is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nIn PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.(CVE-2020-7071)\\r\\n\\r\\n\nWhen using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2020-7059)\\r\\n\\r\\n\nIn PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.(CVE-2020-7062)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-7062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7062",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2148": {
+    "id": "openEuler-SA-2022-2148",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2148",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "%global desc \\ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\\ do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. \\ %global extdesc \\\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.(CVE-2019-10241)",
+    "cves": [
+      {
+        "id": "CVE-2019-10241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1549": {
+    "id": "openEuler-SA-2023-1549",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1549",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\n\nSecurity Fix(es):\n\nIncorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2022-33196)\n\nImproper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-38090)\n\nInformation exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982)",
+    "cves": [
+      {
+        "id": "CVE-2022-40982",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1095": {
+    "id": "openEuler-SA-2023-1095",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1095",
+    "title": "An update for apr is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.(CVE-2022-24963)",
+    "cves": [
+      {
+        "id": "CVE-2022-24963",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1647": {
+    "id": "openEuler-SA-2024-1647",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1647",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()\r\n\r\nmemcpy() is called in a loop while 'operation->length' upper bound\nis not checked and 'data_idx' also increments.(CVE-2022-48632)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/slub: fix to return errno if kmalloc() fails\r\n\r\nIn create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to\nout-of-memory, if it fails, return errno correctly rather than\ntriggering panic via BUG_ON();\r\n\r\nkernel BUG at mm/slub.c:5893!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\r\n\r\nCall trace:\n sysfs_slab_add+0x258/0x260 mm/slub.c:5973\n __kmem_cache_create+0x60/0x118 mm/slub.c:4899\n create_cache mm/slab_common.c:229 [inline]\n kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335\n kmem_cache_create+0x1c/0x28 mm/slab_common.c:390\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]\n f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808\n f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149\n mount_bdev+0x1b8/0x210 fs/super.c:1400\n f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512\n legacy_get_tree+0x30/0x74 fs/fs_context.c:610\n vfs_get_tree+0x40/0x140 fs/super.c:1530\n do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040\n path_mount+0x358/0x914 fs/namespace.c:3370\n do_mount fs/namespace.c:3383 [inline]\n __do_sys_mount fs/namespace.c:3591 [inline]\n __se_sys_mount fs/namespace.c:3568 [inline]\n __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568(CVE-2022-48659)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: Set lineevent_state::irq after IRQ register successfully\r\n\r\nWhen running gpio test on nxp-ls1028 platform with below command\ngpiomon --num-events=3 --rising-edge gpiochip1 25\nThere will be a warning trace as below:\nCall trace:\nfree_irq+0x204/0x360\nlineevent_free+0x64/0x70\ngpio_ioctl+0x598/0x6a0\n__arm64_sys_ioctl+0xb4/0x100\ninvoke_syscall+0x5c/0x130\n......\nel0t_64_sync+0x1a0/0x1a4\nThe reason of this issue is that calling request_threaded_irq()\nfunction failed, and then lineevent_free() is invoked to release\nthe resource. Since the lineevent_state::irq was already set, so\nthe subsequent invocation of free_irq() would trigger the above\nwarning call trace. To fix this issue, set the lineevent_state::irq\nafter the IRQ register successfully.(CVE-2022-48660)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path.  This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng.  The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\r\n\r\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.(CVE-2023-52616)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock/rnbd-srv: Check for unlikely string overflow\r\n\r\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\r\n\r\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                                                   ^~\nIn function 'rnbd_srv_get_full_path',\n    inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n  617 |                          dev_search_path, dev_name);\n      |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).(CVE-2023-52618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow timeout for anonymous sets\r\n\r\nNever used from userspace, disallow these parameters.(CVE-2023-52620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\r\n\r\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\r\n\r\n  WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n  CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n  ......\n  Call Trace:\n   <TASK>\n   ? __warn+0xa5/0x240\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? report_bug+0x1ba/0x1f0\n   ? handle_bug+0x40/0x80\n   ? exc_invalid_op+0x18/0x50\n   ? asm_exc_invalid_op+0x1b/0x20\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ? rcu_lockdep_current_cpu_online+0x65/0xb0\n   ? rcu_is_watching+0x23/0x50\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ___bpf_prog_run+0x513/0x3b70\n   __bpf_prog_run32+0x9d/0xd0\n   ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n   ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n   bpf_trampoline_6442580665+0x4d/0x1000\n   __x64_sys_getpgid+0x5/0x30\n   ? do_syscall_64+0x36/0xb0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   </TASK>(CVE-2023-52621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[   57.202521] =============================\n[   57.202522] WARNING: suspicious RCU usage\n[   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[   57.202525] -----------------------------\n[   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[   57.202527]\n               other info that might help us debug this:\r\n\r\n[   57.202528]\n               rcu_scheduler_active = 2, debug_locks = 1\n[   57.202529] no locks held by test5/3567.\n[   57.202530]\n               stack backtrace:\n[   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[   57.202536] Call Trace:\n[   57.202537]  <TASK>\n[   57.202540]  dump_stack_lvl+0x77/0xb0\n[   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0\n[   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202866]  write_cache_pages+0x265/0x450\n[   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202913]  do_writepages+0xd2/0x230\n[   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80\n[   57.202921]  filemap_fdatawrite_wbc+0x67/0x80\n[   57.202924]  filemap_write_and_wait_range+0xd9/0x170\n[   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202969]  __se_sys_close+0x46/0xd0\n[   57.202972]  do_syscall_64+0x68/0x100\n[   57.202975]  ? do_syscall_64+0x77/0x100\n[   57.202976]  ? do_syscall_64+0x77/0x100\n[   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[   57.202982] RIP: 0033:0x7fe2b12e4a94\n[   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[   57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: time-travel: fix time corruption\r\n\r\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\r\n\r\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.(CVE-2023-52633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n        echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n        echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428\n<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c\n<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428\nkworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227\nvendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532\nvendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428\nxxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][    C4] Mem abort info:\n[ 9436.261666][    C4]   ESR = 0x96000044\n[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][    C4]   SET = 0, FnV = 0\n[ 9436.261673][    C4]   EA = 0, S1PTW = 0\n[ 9436.261675][    C4] Data abort info:\n[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044\n[ 9436.261680][    C4]   CM = 0, WnR = 1\n[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)\n[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][    C4] sp : ffffffc010023dd0\n[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\r\n\r\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\r\n\r\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\r\n\r\n CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n  print_report+0xd3/0x620\n  ? kasan_complete_mode_report_info+0x7d/0x200\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  kasan_report+0xc2/0x100\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  __asan_load4+0x84/0xb0\n  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  j1939_sk_recv+0x20b/0x320 [can_j1939]\n  ? __kasan_check_write+0x18/0x20\n  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n  ? j1939_simple_recv+0x69/0x280 [can_j1939]\n  ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n  j1939_can_recv+0x43f/0x580 [can_j1939]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  ? raw_rcv+0x42/0x3c0 [can_raw]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  can_rcv_filter+0x11f/0x350 [can]\n  can_receive+0x12f/0x190 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  can_rcv+0xdd/0x130 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  __netif_receive_skb_one_core+0x13d/0x150\n  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n  ? __kasan_check_write+0x18/0x20\n  ? _raw_spin_lock_irq+0x8c/0xe0\n  __netif_receive_skb+0x23/0xb0\n  process_backlog+0x107/0x260\n  __napi_poll+0x69/0x310\n  net_rx_action+0x2a1/0x580\n  ? __pfx_net_rx_action+0x10/0x10\n  ? __pfx__raw_spin_lock+0x10/0x10\n  ? handle_irq_event+0x7d/0xa0\n  __do_softirq+0xf3/0x3f8\n  do_softirq+0x53/0x80\n  </IRQ>\n  <TASK>\n  __local_bh_enable_ip+0x6e/0x70\n  netif_rx+0x16b/0x180\n  can_send+0x32b/0x520 [can]\n  ? __pfx_can_send+0x10/0x10 [can]\n  ? __check_object_size+0x299/0x410\n  raw_sendmsg+0x572/0x6d0 [can_raw]\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  ? apparmor_socket_sendmsg+0x2f/0x40\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  sock_sendmsg+0xef/0x100\n  sock_write_iter+0x162/0x220\n  ? __pfx_sock_write_iter+0x10/0x10\n  ? __rtnl_unlock+0x47/0x80\n  ? security_file_permission+0x54/0x320\n  vfs_write+0x6ba/0x750\n  ? __pfx_vfs_write+0x10/0x10\n  ? __fget_light+0x1ca/0x1f0\n  ? __rcu_read_unlock+0x5b/0x280\n  ksys_write+0x143/0x170\n  ? __pfx_ksys_write+0x10/0x10\n  ? __kasan_check_read+0x15/0x20\n  ? fpregs_assert_state_consistent+0x62/0x70\n  __x64_sys_write+0x47/0x60\n  do_syscall_64+0x60/0x90\n  ? do_syscall_64+0x6d/0x90\n  ? irqentry_exit+0x3f/0x50\n  ? exc_page_fault+0x79/0xf0\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Allocated by task 348:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_alloc_info+0x1f/0x30\n  __kasan_kmalloc+0xb5/0xc0\n  __kmalloc_node_track_caller+0x67/0x160\n  j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Freed by task 349:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_free_info+0x2f/0x50\n  __kasan_slab_free+0x12e/0x1c0\n  __kmem_cache_free+0x1b9/0x380\n  kfree+0x7a/0x120\n  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2023-52637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: vsie: fix race during shadow creation\r\n\r\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash.  This is due to the\nfact that we add gmap->private == kvm after creation:\r\n\r\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n                               struct vsie_page *vsie_page)\n{\n[...]\n        gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n        if (IS_ERR(gmap))\n                return PTR_ERR(gmap);\n        gmap->private = vcpu->kvm;\r\n\r\nLet children inherit the private field of the parent.(CVE-2023-52639)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\r\n\r\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\r\n\r\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---(CVE-2023-52644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: aqc111: check packet for fixup for true limit\r\n\r\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\r\n\r\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\r\n\r\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.(CVE-2023-52655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Guard stack limits against 32bit overflow\r\n\r\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\r\n\r\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904(CVE-2023-52676)\r\n\r\n\r\nA race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: fix a memory corruption\r\n\r\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we'll write past the buffer.(CVE-2024-26610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet's remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page->mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow anonymous set with timeout flag\r\n\r\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Ensure visibility when inserting an element into tracing_map\r\n\r\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\r\n\r\n $ while true; do\n     echo hist:key=id.syscall:val=hitcount > \\\n       /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n     cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n     sleep 0.001\n   done\n $ stress-ng --sysbadaddr $(nproc)\r\n\r\nThe warning looks as follows:\r\n\r\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220]  hist_show+0x124/0x800\n[ 2911.195692]  seq_read_iter+0x1d4/0x4e8\n[ 2911.196193]  seq_read+0xe8/0x138\n[ 2911.196638]  vfs_read+0xc8/0x300\n[ 2911.197078]  ksys_read+0x70/0x108\n[ 2911.197534]  __arm64_sys_read+0x24/0x38\n[ 2911.198046]  invoke_syscall+0x78/0x108\n[ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157]  do_el0_svc+0x28/0x40\n[ 2911.199613]  el0_svc+0x40/0x178\n[ 2911.200048]  el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621]  el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\r\n\r\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\r\n\r\nThe check for the presence of an element with a given key in this\nfunction is:\r\n\r\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\r\n\r\nThe write of a new entry is:\r\n\r\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\r\n\r\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---(CVE-2024-26645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\r\n\r\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.(CVE-2024-26661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntunnels: fix out of bounds access when building IPv6 PMTU error\r\n\r\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\r\n\r\n  BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n  Read of size 4 at addr ffff88811d402c80 by task netperf/820\n  CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n  ...\n   kasan_report+0xd8/0x110\n   do_csum+0x220/0x240\n   csum_partial+0xc/0x20\n   skb_tunnel_check_pmtu+0xeb9/0x3280\n   vxlan_xmit_one+0x14c2/0x4080\n   vxlan_xmit+0xf61/0x5c00\n   dev_hard_start_xmit+0xfb/0x510\n   __dev_queue_xmit+0x7cd/0x32a0\n   br_dev_queue_push_xmit+0x39d/0x6a0\r\n\r\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.(CVE-2024-26665)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_limit: reject configurations that cause integer overflow\r\n\r\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\r\n\r\nIts better to reject this rather than having incorrect ratelimit.(CVE-2024-26668)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: flower: Fix chain template offload\r\n\r\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\r\n\r\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\r\n\r\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\r\n\r\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\r\n\r\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff  ..|......[......\n    01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff  ................\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab374e>] __kmalloc+0x4e/0x90\n    [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\n    [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0\n    [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0\n    [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00  @.......W.8.....\n    10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff  ..,m......,m....\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90\n    [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0\n    [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460\n    [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0\n    [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\r\n\r\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---(CVE-2024-26669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n  __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n  __alloc_pages_node include/linux/gfp.h:238 [inline]\n  alloc_pages_node include/linux/gfp.h:261 [inline]\n  __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n  __do_kmalloc_node mm/slub.c:3969 [inline]\n  __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n  kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n  __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n  __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n  netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n  dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n  ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n  ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n  tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n  tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n  receive_buf drivers/tty/tty_buffer.c:444 [inline]\n  flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: read sk->sk_family once in inet_recv_error()\r\n\r\ninet_recv_error() is called without holding the socket lock.\r\n\r\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.(CVE-2024-26679)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: Fix DMA mapping for PTP hwts ring\r\n\r\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\r\n\r\nTrace:\n[  215.351607] ------------[ cut here ]------------\n[  215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[  215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[  215.581176] Call Trace:\n[  215.583632]  <TASK>\n[  215.585745]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.590114]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.594497]  ? debug_dma_free_coherent+0x196/0x210\n[  215.599305]  ? check_unmap+0xa6f/0x2360\n[  215.603147]  ? __warn+0xca/0x1d0\n[  215.606391]  ? check_unmap+0xa6f/0x2360\n[  215.610237]  ? report_bug+0x1ef/0x370\n[  215.613921]  ? handle_bug+0x3c/0x70\n[  215.617423]  ? exc_invalid_op+0x14/0x50\n[  215.621269]  ? asm_exc_invalid_op+0x16/0x20\n[  215.625480]  ? check_unmap+0xa6f/0x2360\n[  215.629331]  ? mark_lock.part.0+0xca/0xa40\n[  215.633445]  debug_dma_free_coherent+0x196/0x210\n[  215.638079]  ? __pfx_debug_dma_free_coherent+0x10/0x10\n[  215.643242]  ? slab_free_freelist_hook+0x11d/0x1d0\n[  215.648060]  dma_free_attrs+0x6d/0x130\n[  215.651834]  aq_ring_free+0x193/0x290 [atlantic]\n[  215.656487]  aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[  216.127540] ---[ end trace 6467e5964dd2640b ]---\n[  216.132160] DMA-API: Mapped at:\n[  216.132162]  debug_dma_alloc_coherent+0x66/0x2f0\n[  216.132165]  dma_alloc_attrs+0xf5/0x1b0\n[  216.132168]  aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[  216.132193]  aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[  216.132213]  aq_nic_init+0x4a1/0x760 [atlantic](CVE-2024-26680)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\r\n\r\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.(CVE-2024-26684)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential bug in end_buffer_async_write\r\n\r\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\r\n\r\nNilfs2 itself does not use end_buffer_async_write().  But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\r\n\r\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent.  However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device.  This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\r\n\r\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\r\n\r\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.(CVE-2024-26685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup.  If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: prevent use-after-free in encode_cap_msg()\r\n\r\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\r\n\r\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\r\n\r\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.(CVE-2024-26689)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix data corruption in dsync block recovery for small block sizes\r\n\r\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache.  In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\r\n\r\nFix these issues by correcting this byte offset calculation on the page.(CVE-2024-26697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\r\n\r\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.(CVE-2024-26702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Fix random data corruption from exception handler\r\n\r\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\r\n\r\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\r\n\r\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\r\n\r\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.(CVE-2024-26706)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\r\n\r\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\r\n\r\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\r\n\r\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n <IRQ>\n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\r\n\r\nThis issue is also found in older kernels (at least up to 5.10).(CVE-2024-26707)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/kasan: Fix addr error caused by page alignment\r\n\r\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\r\n\r\nAs a result, memory overwriting occurs.\r\n\r\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\r\n\r\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.(CVE-2024-26712)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\r\n\r\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64().  On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\r\n\r\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\r\n\r\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\r\n\r\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)(CVE-2024-26720)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't drop extent_map for free space inode on write error\r\n\r\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\r\n\r\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n <TASK>\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again.  However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping.  Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\r\n\r\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping.  This is\nnormal for normal files, but the free space cache inode is special.  We\nalways expect the extent map to be correct.  Thus the second time\nthrough we end up with a bogus extent map.\r\n\r\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\r\n\r\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce.  With this patch in place we no longer panic\nwith my error injection test.(CVE-2024-26726)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narp: Prevent overflow in arp_req_get().\r\n\r\nsyzkaller reported an overflown write in arp_req_get(). [0]\r\n\r\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\r\n\r\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\r\n\r\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags.  We initialise the field just after the memcpy(), so it's\nnot a problem.\r\n\r\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\r\n\r\nTo avoid the overflow, let's limit the max length of memcpy().\r\n\r\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\r\n\r\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>(CVE-2024-26733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\r\n\r\nMake an unregister in case of unsuccessful registration.(CVE-2024-26734)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix possible use-after-free and null-ptr-deref\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.(CVE-2024-26735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: use the backlog for mirred ingress\r\n\r\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\r\n\r\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\r\n\r\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.(CVE-2024-26740)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/qedr: Fix qedr_create_user_qp error flow\r\n\r\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\r\n\r\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--(CVE-2024-26743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Support specifying the srpt_service_guid parameter\r\n\r\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76(CVE-2024-26744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\r\n\r\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n      df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n      3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS:  00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0(CVE-2024-26754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm-crypt: don't modify the data when using authenticated encryption\r\n\r\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\r\n\r\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\r\n\r\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/(CVE-2024-26763)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\r\n\r\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\r\n\r\n    Unable to handle kernel NULL pointer dereference at virtual\n  address 0000000000000008\n    Call trace:\n        complete+0x54/0x100\n        hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n        __handle_irq_event_percpu+0x64/0x1e0\n        handle_irq_event+0x7c/0x1cc(CVE-2024-26776)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix double-free on socket dismantle\r\n\r\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\r\n\r\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\r\n\r\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   <IRQ>\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   </IRQ>\n   <TASK>\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   </TASK>\r\n\r\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\r\n\r\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\r\n\r\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\r\n\r\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---(CVE-2024-26782)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\r\n\r\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\r\n\r\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\r\n\r\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\r\n\r\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.(CVE-2024-26787)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: dev-replace: properly validate device names\r\n\r\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\r\n\r\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\r\n\r\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).(CVE-2024-26791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Avoid potential use-after-free in hci_error_reset\r\n\r\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\r\n\r\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\r\n\r\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.(CVE-2024-26801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\r\n\r\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\r\n\r\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---(CVE-2024-26805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\r\n\r\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.(CVE-2024-26808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\r\n\r\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\r\n\r\nThis fix requires:\r\n\r\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\r\n\r\nwhich came after:\r\n\r\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").(CVE-2024-26809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate payload size in ipc response\r\n\r\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.(CVE-2024-26811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Create persistent INTx handler\r\n\r\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\r\n\r\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\r\n\r\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.(CVE-2024-26812)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: fix underflow in parse_server_interfaces()\r\n\r\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.(CVE-2024-26828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\r\n\r\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\r\n\r\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\r\n\r\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...(CVE-2024-26881)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix kmemleak of rdev->serial\r\n\r\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\r\n\r\nunreferenced object 0xffff88815a350000 (size 49152):\n  comm \"mdadm\", pid 789, jiffies 4294716910\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc f773277a):\n    [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n    [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n    [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n    [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n    [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n    [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n    [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n    [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n    [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n    [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n    [<0000000085086a11>] vfs_ioctl+0x22/0x60\n    [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n    [<00000000e54e675e>] do_syscall_64+0x71/0x150\n    [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74(CVE-2024-26900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\r\n\r\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\r\n\r\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n  [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G           OE      6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS:  00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <TASK>\n  ? show_regs+0x72/0x90\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? __warn+0x8d/0x160\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? report_bug+0x1bb/0x1d0\n  ? handle_bug+0x46/0x90\n  ? exc_invalid_op+0x19/0x80\n  ? asm_exc_invalid_op+0x1b/0x20\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n  ipoib_send+0x2ec/0x770 [ib_ipoib]\n  ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n  dev_hard_start_xmit+0x8e/0x1e0\n  ? validate_xmit_skb_list+0x4d/0x80\n  sch_direct_xmit+0x116/0x3a0\n  __dev_xmit_skb+0x1fd/0x580\n  __dev_queue_xmit+0x284/0x6b0\n  ? _raw_spin_unlock_irq+0xe/0x50\n  ? __flush_work.isra.0+0x20d/0x370\n  ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n  neigh_connected_output+0xcd/0x110\n  ip_finish_output2+0x179/0x480\n  ? __smp_call_single_queue+0x61/0xa0\n  __ip_finish_output+0xc3/0x190\n  ip_finish_output+0x2e/0xf0\n  ip_output+0x78/0x110\n  ? __pfx_ip_finish_output+0x10/0x10\n  ip_local_out+0x64/0x70\n  __ip_queue_xmit+0x18a/0x460\n  ip_queue_xmit+0x15/0x30\n  __tcp_transmit_skb+0x914/0x9c0\n  tcp_write_xmit+0x334/0x8d0\n  tcp_push_one+0x3c/0x60\n  tcp_sendmsg_locked+0x2e1/0xac0\n  tcp_sendmsg+0x2d/0x50\n  inet_sendmsg+0x43/0x90\n  sock_sendmsg+0x68/0x80\n  sock_write_iter+0x93/0x100\n  vfs_write+0x326/0x3c0\n  ksys_write+0xbd/0xf0\n  ? do_syscall_64+0x69/0x90\n  __x64_sys_write+0x19/0x30\n  do_syscall_\n---truncated---(CVE-2024-26907)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\r\n\r\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\r\n\r\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.(CVE-2024-27431)",
+    "cves": [
+      {
+        "id": "CVE-2024-27431",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27431",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1634": {
+    "id": "openEuler-SA-2024-1634",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1634",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21087)",
+    "cves": [
+      {
+        "id": "CVE-2024-21087",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21087",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1096": {
+    "id": "openEuler-SA-2021-1096",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1096",
+    "title": "An update for apr is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1.",
+    "severity": "High",
+    "description": "The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.\n\nSecurity Fix(es):\n\nAn out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.(CVE-2017-12613)",
+    "cves": [
+      {
+        "id": "CVE-2017-12613",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12613",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1080": {
+    "id": "openEuler-SA-2021-1080",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1080",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the email parsing module Clam AntiVirus (ClamAV) Software versions 0.102.0, 0.101.4 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to inefficient MIME parsing routines that result in extremely long scan times of specially formatted email files. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to scan the crafted email file indefinitely, resulting in a denial of service condition.(CVE-2019-15961)",
+    "cves": [
+      {
+        "id": "CVE-2019-15961",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15961",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1413": {
+    "id": "openEuler-SA-2021-1413",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1413",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nThe fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.(CVE-2021-42340)",
+    "cves": [
+      {
+        "id": "CVE-2021-42340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1712": {
+    "id": "openEuler-SA-2023-1712",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1712",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4573)\r\n\r\nWhen creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4574)\r\n\r\nWhen creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4575)\r\n\r\nExcel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4581)\r\n\r\nMemory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4584)\r\n\r\nHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863)",
+    "cves": [
+      {
+        "id": "CVE-2023-4863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2160": {
+    "id": "openEuler-SA-2022-2160",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2160",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel(CVE-2022-20568)\r\n\r\nIn verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel(CVE-2022-20572)",
+    "cves": [
+      {
+        "id": "CVE-2022-20572",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20572",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1120": {
+    "id": "openEuler-SA-2024-1120",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1120",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.(CVE-2023-40547)\r\n\r\nA buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.(CVE-2023-40548)\r\n\r\nAn out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.(CVE-2023-40549)\r\n\r\nAn out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.(CVE-2023-40550)\r\n\r\nA flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)",
+    "cves": [
+      {
+        "id": "CVE-2023-40551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1805": {
+    "id": "openEuler-SA-2023-1805",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1805",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.\r\n\r\n(CVE-2023-31122)\r\n\r\nWhen a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n(CVE-2023-45802)",
+    "cves": [
+      {
+        "id": "CVE-2023-45802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45802",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1664": {
+    "id": "openEuler-SA-2022-1664",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1664",
+    "title": "An update for opensc is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.(CVE-2021-42778)\n\nA use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.(CVE-2021-42780)\n\nStack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.(CVE-2021-42782)",
+    "cves": [
+      {
+        "id": "CVE-2021-42782",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42782",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2050": {
+    "id": "openEuler-SA-2022-2050",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2050",
+    "title": "An update for multipath-tools is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This package provides the multipath tool and the multipathd daemon to manage dm-multipath devices. multipath can detect and set up multipath maps. multipathd sets up multipath maps automatically, monitors path devices for failure, removal, or addition, and applies the necessary changes to the multipath maps to ensure continuous availability of the map devices.\r\n\r\nSecurity Fix(es):\r\n\r\nmultipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR.(CVE-2022-41974)",
+    "cves": [
+      {
+        "id": "CVE-2022-41974",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41974",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1565": {
+    "id": "openEuler-SA-2024-1565",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1565",
+    "title": "An update for libreswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.(CVE-2024-3652)",
+    "cves": [
+      {
+        "id": "CVE-2024-3652",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3652",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1894": {
+    "id": "openEuler-SA-2023-1894",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1894",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.(CVE-2023-1544)",
+    "cves": [
+      {
+        "id": "CVE-2023-1544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1606": {
+    "id": "openEuler-SA-2023-1606",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1606",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.(CVE-2023-28879)\r\n\r\nArtifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).(CVE-2023-36664)\r\n\r\nA buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559)",
+    "cves": [
+      {
+        "id": "CVE-2023-38559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38559",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1752": {
+    "id": "openEuler-SA-2023-1752",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1752",
+    "title": "An update for cups is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n(CVE-2023-4504)",
+    "cves": [
+      {
+        "id": "CVE-2023-4504",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1374": {
+    "id": "openEuler-SA-2023-1374",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1374",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\n\nSecurity Fix(es):\n\nXRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file(CVE-2023-2952)\n\nDue to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark(CVE-2023-0667)",
+    "cves": [
+      {
+        "id": "CVE-2023-0667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0667",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1177": {
+    "id": "openEuler-SA-2023-1177",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1177",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel(CVE-2023-20938)\r\n\r\nThere is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c(CVE-2023-0461)\r\n\r\nA flaw in the Linux Kernel found. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.\r\n\r\n\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb(CVE-2023-1075)\r\n\r\nA flaw found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.\nIt is known how to trigger this, which causes an OOB access, and a lock corruption.\r\n\r\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d(CVE-2023-1078)\r\n\r\nA flaw found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function.\nWhile it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability.\nThis would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a(CVE-2023-1076)\r\n\r\nIn the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.(CVE-2023-22995)\r\n\r\nA flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1118)\n\nIn the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.(CVE-2023-26545)",
+    "cves": [
+      {
+        "id": "CVE-2023-26545",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1603": {
+    "id": "openEuler-SA-2023-1603",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1603",
+    "title": "An update for openjdk-latest is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)",
+    "cves": [
+      {
+        "id": "CVE-2023-22045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22045",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1676": {
+    "id": "openEuler-SA-2022-1676",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1676",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\n\nSecurity Fix(es):\n\nGit for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.(CVE-2022-24765)",
+    "cves": [
+      {
+        "id": "CVE-2022-24765",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24765",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1720": {
+    "id": "openEuler-SA-2022-1720",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1720",
+    "title": "An update for tcl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Tcl(Tool Command Language) provides a powerful platform for creating integration applications that tie together diverse applications, protocols, devices, and frameworks. When paired with the Tk toolkit, Tcl provides the fastest and most powerful way to create GUI applications that run on linux, Unix, and Mac OS X. Tcl can also be used for a variety of web-related tasks and for creating powerful command languages for applications.\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding.(CVE-2021-35331)",
+    "cves": [
+      {
+        "id": "CVE-2021-35331",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35331",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1825": {
+    "id": "openEuler-SA-2022-1825",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1825",
+    "title": "An update for kexec-tools is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "kexec-tools provides /sbin/kexec binary that facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. This package contains the /sbin/kexec binary and ancillary utilities that together form the userspace component of the kernel's kexec feature.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.(CVE-2021-20269)",
+    "cves": [
+      {
+        "id": "CVE-2021-20269",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20269",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1636": {
+    "id": "openEuler-SA-2023-1636",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1636",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_SESSION_SETUP commands. The issue results from the lack of control of resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32247)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nWhen nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances.\r\n\r\nWe recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.\r\n\r\n(CVE-2023-3777)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nOn an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used.\r\n\r\nWe recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2.\r\n\r\n(CVE-2023-4015)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\r\n\r\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\r\n\r\n(CVE-2023-4206)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\r\n\r\n(CVE-2023-4207)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\r\n\r\n(CVE-2023-4208)\r\n\r\nA use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\r\n\r\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\r\n\r\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\r\n\r\n(CVE-2023-4622)",
+    "cves": [
+      {
+        "id": "CVE-2023-4622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1795": {
+    "id": "openEuler-SA-2022-1795",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1795",
+    "title": "An update for libtirpc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Libtirpc is a Transport-Independent RPC library for Linux\r\n\r\nSecurity Fix(es):\r\n\r\nIn libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.(CVE-2021-46828)",
+    "cves": [
+      {
+        "id": "CVE-2021-46828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46828",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1140": {
+    "id": "openEuler-SA-2023-1140",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1140",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization,time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.(CVE-2023-22796)",
+    "cves": [
+      {
+        "id": "CVE-2023-22796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22796",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1370": {
+    "id": "openEuler-SA-2021-1370",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1370",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nbluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.(CVE-2021-3658)",
+    "cves": [
+      {
+        "id": "CVE-2021-3658",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3658",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1554": {
+    "id": "openEuler-SA-2022-1554",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1554",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "An XML parser library.\r\n\r\nSecurity Fix(es):\r\n\r\nxmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235)\r\n\r\nxmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.(CVE-2022-25236)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.(CVE-2022-25314)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.(CVE-2022-25313)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.(CVE-2022-25315)",
+    "cves": [
+      {
+        "id": "CVE-2022-25315",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1858": {
+    "id": "openEuler-SA-2024-1858",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1858",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.(CVE-2024-4467)",
+    "cves": [
+      {
+        "id": "CVE-2024-4467",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4467",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1489": {
+    "id": "openEuler-SA-2022-1489",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1489",
+    "title": "An update for udisks2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Udisks project provides a daemon, tools and libraries to access and manipulate disks, storage devices and technologies.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability found in udisks2. The vulnerability allows an attacker to enter a specially crafted image file/USB to cause a kernel panic. The biggest threat to this vulnerability is system availability.(CVE-2021-3802)",
+    "cves": [
+      {
+        "id": "CVE-2021-3802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3802",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1385": {
+    "id": "openEuler-SA-2023-1385",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1385",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. \r\n\r\nSecurity Fix(es):\r\n\r\nloadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.(CVE-2023-26965)\r\n\r\nA NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\r\n\r\n(CVE-2023-3316)",
+    "cves": [
+      {
+        "id": "CVE-2023-3316",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3316",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1630": {
+    "id": "openEuler-SA-2022-1630",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1630",
+    "title": "An update for jdom2 is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "JDOM is an in-memory representation of an XML document. XML consists of elements (which have attributes), text data, 'entity' references, processing instructions, and comments. XML documents can also have a DocType declaration, Comments, and Processing Instructions before the root element.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.(CVE-2021-33813)",
+    "cves": [
+      {
+        "id": "CVE-2021-33813",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33813",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1879": {
+    "id": "openEuler-SA-2022-1879",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1879",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Python combines remarkable power with very clear syntax. It has modules,classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation).Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.This package Provides python version 3.\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states \"Warning: http.server is not recommended for production. It only implements basic security checks.\"(CVE-2021-28861)",
+    "cves": [
+      {
+        "id": "CVE-2021-28861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1979": {
+    "id": "openEuler-SA-2022-1979",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1979",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the\nclient performing unexpected actions as well as forwarding the client's API server credentials to third parties.\r\n\r\nref: https://github.com/kubernetes/kubernetes/issues/112513(CVE-2022-3172)",
+    "cves": [
+      {
+        "id": "CVE-2022-3172",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3172",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1353": {
+    "id": "openEuler-SA-2024-1353",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1353",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: x86/mmu: Don't advance iterator after restart due to yielding\r\n\r\nAfter dropping mmu_lock in the TDP MMU, restart the iterator during\ntdp_iter_next() and do not advance the iterator.  Advancing the iterator\nresults in skipping the top-level SPTE and all its children, which is\nfatal if any of the skipped SPTEs were not visited before yielding.\r\n\r\nWhen zapping all SPTEs, i.e. when min_level == root_level, restarting the\niter and then invoking tdp_iter_next() is always fatal if the current gfn\nhas as a valid SPTE, as advancing the iterator results in try_step_side()\nskipping the current gfn, which wasn't visited before yielding.\r\n\r\nSprinkle WARNs on iter->yielded being true in various helpers that are\noften used in conjunction with yielding, and tag the helper with\n__must_check to reduce the probabily of improper usage.\r\n\r\nFailing to zap a top-level SPTE manifests in one of two ways.  If a valid\nSPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(),\nthe shadow page will be leaked and KVM will WARN accordingly.\r\n\r\n  WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm]\n  RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_arch_destroy_vm+0x130/0x1b0 [kvm]\n   kvm_destroy_vm+0x162/0x2a0 [kvm]\n   kvm_vcpu_release+0x34/0x60 [kvm]\n   __fput+0x82/0x240\n   task_work_run+0x5c/0x90\n   do_exit+0x364/0xa10\n   ? futex_unqueue+0x38/0x60\n   do_group_exit+0x33/0xa0\n   get_signal+0x155/0x850\n   arch_do_signal_or_restart+0xed/0x750\n   exit_to_user_mode_prepare+0xc5/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nIf kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by\nkvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of\nmarking a struct page as dirty/accessed after it has been put back on the\nfree list.  This directly triggers a WARN due to encountering a page with\npage_count() == 0, but it can also lead to data corruption and additional\nerrors in the kernel.\r\n\r\n  WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171\n  RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_set_pfn_dirty+0x120/0x1d0 [kvm]\n   __handle_changed_spte+0x92e/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   zap_gfn_range+0x549/0x620 [kvm]\n   kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm]\n   mmu_free_root_page+0x219/0x2c0 [kvm]\n   kvm_mmu_free_roots+0x1b4/0x4e0 [kvm]\n   kvm_mmu_unload+0x1c/0xa0 [kvm]\n   kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm]\n   kvm_put_kvm+0x3b1/0x8b0 [kvm]\n   kvm_vcpu_release+0x4e/0x70 [kvm]\n   __fput+0x1f7/0x8c0\n   task_work_run+0xf8/0x1a0\n   do_exit+0x97b/0x2230\n   do_group_exit+0xda/0x2a0\n   get_signal+0x3be/0x1e50\n   arch_do_signal_or_restart+0x244/0x17f0\n   exit_to_user_mode_prepare+0xcb/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x4d/0x90\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nNote, the underlying bug existed even before commit 1af4a96025b3 (\"KVM:\nx86/mmu: Yield in TDU MMU iter even if no SPTES changed\") moved calls to\ntdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still\nincorrectly advance past a top-level entry when yielding on a lower-level\nentry.  But with respect to leaking shadow pages, the bug was introduced\nby yielding before processing the current gfn.\r\n\r\nAlternatively, tdp_mmu_iter_cond_resched() could simply fall through, or\ncallers could jump to their \"retry\" label.  The downside of that approach\nis that tdp_mmu_iter_cond_resched() _must_ be called before anything else\nin the loop, and there's no easy way to enfornce that requirement.\r\n\r\nIdeally, KVM would handling the cond_resched() fully within the iterator\nmacro (the code is actually quite clean) and avoid this entire class of\nbugs, but that is extremely difficult do wh\n---truncated---(CVE-2021-47094)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\r\n\r\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\r\n\r\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\r\n\r\nnfc_llcp_sock_get_sn() has a similar problem.\r\n\r\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diNewExt\r\n\r\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n\r\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\r\n\r\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\r\n\r\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).(CVE-2023-52599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix uaf in jfs_evict_inode\r\n\r\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\r\n\r\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.(CVE-2023-52600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntomoyo: fix UAF write bug in tomoyo_write_control()\r\n\r\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held.  Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.(CVE-2024-26622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: call sock_orphan() at release time\r\n\r\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\r\n\r\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\r\n\r\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\r\n\r\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0xc4/0x620 mm/kasan/report.c:488\n  kasan_report+0xda/0x110 mm/kasan/report.c:601\n  list_empty include/linux/list.h:373 [inline]\n  waitqueue_active include/linux/wait.h:127 [inline]\n  sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n  sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n  skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n  skb_release_all net/core/skbuff.c:1092 [inline]\n  napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n  e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n  e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n  e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n  __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x956/0xe90 net/core/dev.c:6778\n  __do_softirq+0x21a/0x8de kernel/softirq.c:553\n  run_ksoftirqd kernel/softirq.c:921 [inline]\n  run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n  smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n  kthread+0x2c6/0x3a0 kernel/kthread.c:388\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\r\n\r\nAllocated by task 5167:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:314 [inline]\n  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3813 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n  alloc_inode_sb include/linux/fs.h:3019 [inline]\n  sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n  alloc_inode+0x5d/0x220 fs/inode.c:260\n  new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n  sock_alloc+0x40/0x270 net/socket.c:634\n  __sock_create+0xbc/0x800 net/socket.c:1535\n  sock_create net/socket.c:1622 [inline]\n  __sys_socket_create net/socket.c:1659 [inline]\n  __sys_socket+0x14c/0x260 net/socket.c:1706\n  __do_sys_socket net/socket.c:1720 [inline]\n  __se_sys_socket net/socket.c:1718 [inline]\n  __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFreed by task 0:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n  poison_slab_object mm/kasan/common.c:241 [inline]\n  __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2121 [inlin\n---truncated---(CVE-2024-26625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\r\n\r\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\r\n\r\nThis can be too heavy in case of recovery, such as:\r\n\r\n - N hardware queues\r\n\r\n - queue depth is M for each hardware queue\r\n\r\n - each scsi_host_busy() iterates over (N * M) tag/requests\r\n\r\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\r\n\r\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\r\n\r\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\r\n\r\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart](CVE-2024-26627)",
+    "cves": [
+      {
+        "id": "CVE-2024-26627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1621": {
+    "id": "openEuler-SA-2023-1621",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1621",
+    "title": "An update for php is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PHP. This issue occurs due to an uncaught integer overflow in PDO::quote() of PDO_SQLite returning an improperly quoted string. With the implementation of sqlite3_snprintf(), it is possible to force the function to return a single apostrophe if the function is called on user-supplied input without any length restrictions in place.(CVE-2022-31631)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.(CVE-2023-0567)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. (CVE-2023-0568)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. (CVE-2023-0662)\r\n\r\nIn PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \r\n\r\n(CVE-2023-3247)\r\n\r\nIn PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \r\n\r\n(CVE-2023-3823)\r\n\r\nIn PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \r\n\r\n(CVE-2023-3824)",
+    "cves": [
+      {
+        "id": "CVE-2023-3824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2098": {
+    "id": "openEuler-SA-2022-2098",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2098",
+    "title": "An update for libxslt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "libxslt allows you to transform XML files into other XML files (or HTML, text, and more) using the standard XSLT stylesheet transformation mechanism.\r\n\r\nSecurity Fix(es):\r\n\r\nUse after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2021-30560)",
+    "cves": [
+      {
+        "id": "CVE-2021-30560",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30560",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1971": {
+    "id": "openEuler-SA-2023-1971",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1971",
+    "title": "An update for jackson-databind is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\nSecurity Fix(es):\r\n\r\njackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.(CVE-2020-36518)\r\n\r\nIn FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.(CVE-2022-42003)\r\n\r\nIn FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.(CVE-2022-42004)",
+    "cves": [
+      {
+        "id": "CVE-2022-42004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1587": {
+    "id": "openEuler-SA-2022-1587",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1587",
+    "title": "An update for mariadb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon (mariadbd) and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and utilities.\r\n\r\nMariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nMariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used.(CVE-2021-46669)\r\n\r\nMariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).(CVE-2021-46661)\r\n\r\nMariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash.(CVE-2021-46667)\r\n\r\nMariaDB before 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause.(CVE-2021-46666)\r\n\r\nMariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery.(CVE-2021-46662)\r\n\r\nMariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.(CVE-2021-46663)\r\n\r\nMariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations.(CVE-2021-46665)\r\n\r\nMariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.(CVE-2021-46664)\r\n\r\nMariaDB before 10.7.2 allows an application crash because it does not recognize that SELECT_LEX::nest_level is local to each VIEW.(CVE-2021-46659)\r\n\r\nget_sort_by_table in MariaDB before 10.6.2 allows an application crash via certain subquery uses of ORDER BY.(CVE-2021-46657)",
+    "cves": [
+      {
+        "id": "CVE-2021-46657",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46657",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1506": {
+    "id": "openEuler-SA-2023-1506",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1506",
+    "title": "An update for nghttp2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2.\r\n\r\nSecurity Fix(es):\r\n\r\nEnvoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.(CVE-2023-35945)",
+    "cves": [
+      {
+        "id": "CVE-2023-35945",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35945",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1437": {
+    "id": "openEuler-SA-2021-1437",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1437",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.(CVE-2021-37147)\r\n\r\nImproper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.(CVE-2021-37149)\r\n\r\nImproper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.(CVE-2021-41585)\r\n\r\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.(CVE-2021-43082)",
+    "cves": [
+      {
+        "id": "CVE-2021-43082",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43082",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1299": {
+    "id": "openEuler-SA-2024-1299",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1299",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix deadlock when cloning inline extents and using qgroups\r\n\r\nThere are a few exceptional cases where cloning an inline extent needs to\ncopy the inline extent data into a page of the destination inode.\r\n\r\nWhen this happens, we end up starting a transaction while having a dirty\npage for the destination inode and while having the range locked in the\ndestination's inode iotree too. Because when reserving metadata space\nfor a transaction we may need to flush existing delalloc in case there is\nnot enough free space, we have a mechanism in place to prevent a deadlock,\nwhich was introduced in commit 3d45f221ce627d (\"btrfs: fix deadlock when\ncloning inline extent and low on free metadata space\").\r\n\r\nHowever when using qgroups, a transaction also reserves metadata qgroup\nspace, which can also result in flushing delalloc in case there is not\nenough available space at the moment. When this happens we deadlock, since\nflushing delalloc requires locking the file range in the inode's iotree\nand the range was already locked at the very beginning of the clone\noperation, before attempting to start the transaction.\r\n\r\nWhen this issue happens, stack traces like the following are reported:\r\n\r\n  [72747.556262] task:kworker/u81:9   state:D stack:    0 pid:  225 ppid:     2 flags:0x00004000\n  [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)\n  [72747.556271] Call Trace:\n  [72747.556273]  __schedule+0x296/0x760\n  [72747.556277]  schedule+0x3c/0xa0\n  [72747.556279]  io_schedule+0x12/0x40\n  [72747.556284]  __lock_page+0x13c/0x280\n  [72747.556287]  ? generic_file_readonly_mmap+0x70/0x70\n  [72747.556325]  extent_write_cache_pages+0x22a/0x440 [btrfs]\n  [72747.556331]  ? __set_page_dirty_nobuffers+0xe7/0x160\n  [72747.556358]  ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]\n  [72747.556362]  ? update_group_capacity+0x25/0x210\n  [72747.556366]  ? cpumask_next_and+0x1a/0x20\n  [72747.556391]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.556394]  do_writepages+0x41/0xd0\n  [72747.556398]  __writeback_single_inode+0x39/0x2a0\n  [72747.556403]  writeback_sb_inodes+0x1ea/0x440\n  [72747.556407]  __writeback_inodes_wb+0x5f/0xc0\n  [72747.556410]  wb_writeback+0x235/0x2b0\n  [72747.556414]  ? get_nr_inodes+0x35/0x50\n  [72747.556417]  wb_workfn+0x354/0x490\n  [72747.556420]  ? newidle_balance+0x2c5/0x3e0\n  [72747.556424]  process_one_work+0x1aa/0x340\n  [72747.556426]  worker_thread+0x30/0x390\n  [72747.556429]  ? create_worker+0x1a0/0x1a0\n  [72747.556432]  kthread+0x116/0x130\n  [72747.556435]  ? kthread_park+0x80/0x80\n  [72747.556438]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n  [72747.566961] Call Trace:\n  [72747.566964]  __schedule+0x296/0x760\n  [72747.566968]  ? finish_wait+0x80/0x80\n  [72747.566970]  schedule+0x3c/0xa0\n  [72747.566995]  wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]\n  [72747.566999]  ? finish_wait+0x80/0x80\n  [72747.567024]  lock_extent_bits+0x37/0x90 [btrfs]\n  [72747.567047]  btrfs_invalidatepage+0x299/0x2c0 [btrfs]\n  [72747.567051]  ? find_get_pages_range_tag+0x2cd/0x380\n  [72747.567076]  __extent_writepage+0x203/0x320 [btrfs]\n  [72747.567102]  extent_write_cache_pages+0x2bb/0x440 [btrfs]\n  [72747.567106]  ? update_load_avg+0x7e/0x5f0\n  [72747.567109]  ? enqueue_entity+0xf4/0x6f0\n  [72747.567134]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.567137]  ? enqueue_task_fair+0x93/0x6f0\n  [72747.567140]  do_writepages+0x41/0xd0\n  [72747.567144]  __filemap_fdatawrite_range+0xc7/0x100\n  [72747.567167]  btrfs_run_delalloc_work+0x17/0x40 [btrfs]\n  [72747.567195]  btrfs_work_helper+0xc2/0x300 [btrfs]\n  [72747.567200]  process_one_work+0x1aa/0x340\n  [72747.567202]  worker_thread+0x30/0x390\n  [72747.567205]  ? create_worker+0x1a0/0x1a0\n  [72747.567208]  kthread+0x116/0x130\n  [72747.567211]  ? kthread_park+0x80/0x80\n  [72747.567214]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.569686] task:fsstress        state:D stack:    \n---truncated---(CVE-2021-46987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Defer the free of inner map when necessary\r\n\r\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\r\n\r\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.(CVE-2023-52447)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\r\n\r\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump().  This can happen when creating\nrgd->rd_gl fails in read_rindex_entry().  Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.(CVE-2023-52448)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\r\n\r\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\r\n\r\nubi_gluebi_init\n  ubi_register_volume_notifier\n    ubi_enumerate_volumes\n      ubi_notify_all\n        gluebi_notify    nb->notifier_call()\n          gluebi_create\n            mtd_device_register\n              mtd_device_parse_register\n                add_mtd_device\n                  blktrans_notify_add   not->add()\n                    ftl_add_mtd         tr->add_mtd()\n                      scan_header\n                        mtd_read\n                          mtd_read_oob\n                            mtd_read_oob_std\n                              gluebi_read   mtd->read()\n                                gluebi->desc - NULL\r\n\r\nDetailed reproduction information available at the Link [1],\r\n\r\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\r\n\r\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.(CVE-2023-52449)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix accesses to uninit stack slots\r\n\r\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\r\n\r\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\r\n\r\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\r\n\r\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\r\n\r\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.(CVE-2023-52452)",
+    "cves": [
+      {
+        "id": "CVE-2023-52452",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1206": {
+    "id": "openEuler-SA-2024-1206",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1206",
+    "title": "An update for rust is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1616": {
+    "id": "openEuler-SA-2024-1616",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1616",
+    "title": "An update for fdupes is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "FDUPES is a program for identifying duplicate files residing within specified directories.\r\n\r\nSecurity Fix(es):\r\n\r\nIn deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.(CVE-2022-48682)",
+    "cves": [
+      {
+        "id": "CVE-2022-48682",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48682",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1157": {
+    "id": "openEuler-SA-2024-1157",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1157",
+    "title": "An update for zbar is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "ZBar is an open source software suite for reading bar codes from various sources, such as video streams, image files and raw intensity sensors. It supports many popular symbologies (types of bar codes) including EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 39, Interleaved 2 of 5 and QR Code.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40889)\r\n\r\nA stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40890)",
+    "cves": [
+      {
+        "id": "CVE-2023-40890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40890",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1659": {
+    "id": "openEuler-SA-2024-1659",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1659",
+    "title": "An update for python-tqdm is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "tqdm derives from the Arabic word taqaddum which can mean \"progress\". Instantly  make your loops show a smart progress meter - just wrap any iterable with  tqdm(interable), and you are done!\r\n\r\nSecurity Fix(es):\r\n\r\ntqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-34062)",
+    "cves": [
+      {
+        "id": "CVE-2024-34062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34062",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1911": {
+    "id": "openEuler-SA-2023-1911",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1911",
+    "title": "An update for python-twisted is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\nTwisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.(CVE-2022-39348)",
+    "cves": [
+      {
+        "id": "CVE-2022-39348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39348",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1035": {
+    "id": "openEuler-SA-2021-1035",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1035",
+    "title": "An update for gstreamer1-plugins-bad-free is now available for openEuler-20.03-LTS",
+    "severity": "Critical",
+    "description": "GStreamer is a pipeline-based multi media framework that links together a wide variety of media processing systems to complete complex workflows, based on graphs of filters which operate on media data. This package contains plug-ins that are not tested well enough yet, or the code is not of good enough quality.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nA flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.(CVE-2021-3185)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2021-3185",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3185",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1392": {
+    "id": "openEuler-SA-2021-1392",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1392",
+    "title": "An update for sane-backends is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners and other image acquisition devices like digital still and video cameras.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-083.(CVE-2020-12863)",
+    "cves": [
+      {
+        "id": "CVE-2020-12863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12863",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1504": {
+    "id": "openEuler-SA-2022-1504",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1504",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.(CVE-2021-4155)\n\nIn the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn t properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.(CVE-2021-45485)\n\nIn the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.(CVE-2021-45486)",
+    "cves": [
+      {
+        "id": "CVE-2021-45486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45486",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1835": {
+    "id": "openEuler-SA-2022-1835",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1835",
+    "title": "An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Is an open source JDBC driver written in Pure Java (Type 4), and communicates in the PostgreSQL native network protocol.\r\n\r\nSecurity Fix(es):\r\n\r\nPostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2022-31197)",
+    "cves": [
+      {
+        "id": "CVE-2022-31197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1328": {
+    "id": "openEuler-SA-2024-1328",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1328",
+    "title": "An update for python-yaql is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "YAQL (Yet Another Query Language) is an embeddable and extensible query language, that allows performing complex queries against arbitrary objects. It has a vast and comprehensive standard library of frequently used querying functions and can be extend even further with user-specified functions. YAQL is written in python and is distributed via PyPI.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.(CVE-2024-29156)",
+    "cves": [
+      {
+        "id": "CVE-2024-29156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1739": {
+    "id": "openEuler-SA-2022-1739",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1739",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.(CVE-2021-41091)\r\n\r\nMoby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.(CVE-2021-41089)\r\n\r\nDocker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.(CVE-2021-41092)",
+    "cves": [
+      {
+        "id": "CVE-2021-41092",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41092",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1183": {
+    "id": "openEuler-SA-2023-1183",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1183",
+    "title": "An update for poppler is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "is a PDF rendering library.\r\n\r\nSecurity Fix(es):\r\n\r\nA logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.(CVE-2022-27337)",
+    "cves": [
+      {
+        "id": "CVE-2022-27337",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27337",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1835": {
+    "id": "openEuler-SA-2024-1835",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1835",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: fix various gadgets null ptr deref on 10gbps cabling.\r\n\r\nThis avoids a null pointer dereference in\nf_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}\nby simply reusing the 5gbps config for 10gbps.(CVE-2021-47270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nseg6: fix the iif in the IPv6 socket control block\r\n\r\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\r\n\r\n    IPCB(skb)->iif = skb->skb_iif;\r\n\r\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\r\n\r\n    memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\r\n\r\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\r\n\r\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\r\n\r\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\r\n\r\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again.(CVE-2021-47515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mxl111sf: change mutex_init() location\r\n\r\nSyzbot reported, that mxl111sf_ctrl_msg() uses uninitialized\nmutex. The problem was in wrong mutex_init() location.\r\n\r\nPrevious mutex_init(&state->msg_lock) call was in ->init() function, but\ndvb_usbv2_init() has this order of calls:\r\n\r\n\tdvb_usbv2_init()\n\t  dvb_usbv2_adapter_init()\n\t    dvb_usbv2_adapter_frontend_init()\n\t      props->frontend_attach()\r\n\r\n\t  props->init()\r\n\r\nSince mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()\ninternally we need to initialize state->msg_lock before\nfrontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*\ndevices, which will simply initiaize mutex.(CVE-2021-47583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac80211: validate extended element ID is present\r\n\r\nBefore attempting to parse an extended element, verify that\nthe extended element ID is present.(CVE-2021-47611)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni40e: Fix queues reservation for XDP\r\n\r\nWhen XDP was configured on a system with large number of CPUs\nand X722 NIC there was a call trace with NULL pointer dereference.\r\n\r\ni40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12\ni40e 0000:87:00.0: setup of MAIN VSI failed\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]\nCall Trace:\n? i40e_reconfig_rss_queues+0x130/0x130 [i40e]\ndev_xdp_install+0x61/0xe0\ndev_xdp_attach+0x18a/0x4c0\ndev_change_xdp_fd+0x1e6/0x220\ndo_setlink+0x616/0x1030\n? ahci_port_stop+0x80/0x80\n? ata_qc_issue+0x107/0x1e0\n? lock_timer_base+0x61/0x80\n? __mod_timer+0x202/0x380\nrtnl_setlink+0xe5/0x170\n? bpf_lsm_binder_transaction+0x10/0x10\n? security_capable+0x36/0x50\nrtnetlink_rcv_msg+0x121/0x350\n? rtnl_calcit.isra.0+0x100/0x100\nnetlink_rcv_skb+0x50/0xf0\nnetlink_unicast+0x1d3/0x2a0\nnetlink_sendmsg+0x22a/0x440\nsock_sendmsg+0x5e/0x60\n__sys_sendto+0xf0/0x160\n? __sys_getsockname+0x7e/0xc0\n? _copy_from_user+0x3c/0x80\n? __sys_setsockopt+0xc8/0x1a0\n__x64_sys_sendto+0x20/0x30\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f83fa7a39e0\r\n\r\nThis was caused by PF queue pile fragmentation due to\nflow director VSI queue being placed right after main VSI.\nBecause of this main VSI was not able to resize its\nqueue allocation for XDP resulting in no queues allocated\nfor main VSI when XDP was turned on.\r\n\r\nFix this by always allocating last queue in PF queue pile\nfor a flow director VSI.(CVE-2021-47619)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: max9759: fix underflow in speaker_gain_control_put()\r\n\r\nCheck for negative values of \"priv->gain\" to prevent an out of bounds\naccess.  The concern is that these might come from the user via:\n  -> snd_ctl_elem_write_user()\n    -> snd_ctl_elem_write()\n      -> kctl->put()(CVE-2022-48717)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ieee802154: ca8210: Stop leaking skb's\r\n\r\nUpon error the ieee802154_xmit_complete() helper is not called. Only\nieee802154_wake_queue() is called manually. We then leak the skb\nstructure.\r\n\r\nFree the skb structure upon error before returning.(CVE-2022-48722)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2022-48736)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: ops: Reject out of bounds values in snd_soc_put_volsw()\r\n\r\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range.(CVE-2022-48738)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: amd-xgbe: Fix skb data length underflow\r\n\r\nThere will be BUG_ON() triggered in include/linux/skbuff.h leading to\nintermittent kernel panic, when the skb length underflow is detected.\r\n\r\nFix this by dropping the packet if such length underflows are seen\nbecause of inconsistencies in the hardware descriptors.(CVE-2022-48743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Avoid field-overflowing memcpy()\r\n\r\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\r\n\r\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\r\n\r\nWe were doing:\r\n\r\n\t#define ETH_HLEN  14\n\t#define VLAN_HLEN  4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n        struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;\n        struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\r\n\r\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\r\n\r\nstruct mlx5e_tx_wqe {\n        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */\n        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */\n        struct mlx5_wqe_data_seg   data[];               /*    32     0 */\r\n\r\n        /* size: 32, cachelines: 1, members: 3 */\n        /* last cacheline: 32 bytes */\n};\r\n\r\nstruct mlx5_wqe_eth_seg {\n        u8                         swp_outer_l4_offset;  /*     0     1 */\n        u8                         swp_outer_l3_offset;  /*     1     1 */\n        u8                         swp_inner_l4_offset;  /*     2     1 */\n        u8                         swp_inner_l3_offset;  /*     3     1 */\n        u8                         cs_flags;             /*     4     1 */\n        u8                         swp_flags;            /*     5     1 */\n        __be16                     mss;                  /*     6     2 */\n        __be32                     flow_table_metadata;  /*     8     4 */\n        union {\n                struct {\n                        __be16     sz;                   /*    12     2 */\n                        u8         start[2];             /*    14     2 */\n                } inline_hdr;                            /*    12     4 */\n                struct {\n                        __be16     type;                 /*    12     2 */\n                        __be16     vlan_tci;             /*    14     2 */\n                } insert;                                /*    12     4 */\n                __be32             trailer;              /*    12     4 */\n        };                                               /*    12     4 */\r\n\r\n        /* size: 16, cachelines: 1, members: 9 */\n        /* last cacheline: 16 bytes */\n};\r\n\r\nstruct mlx5_wqe_data_seg {\n        __be32                     byte_count;           /*     0     4 */\n        __be32                     lkey;                 /*     4     4 */\n        __be64                     addr;                 /*     8     8 */\r\n\r\n        /* size: 16, cachelines: 1, members: 3 */\n        /* last cacheline: 16 bytes */\n};\r\n\r\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\r\n\r\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).(CVE-2022-48744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()\r\n\r\nThe bnx2fc_destroy() functions are removing the interface before calling\ndestroy_work. This results multiple WARNings from sysfs_remove_group() as\nthe controller rport device attributes are removed too early.\r\n\r\nReplace the fcoe_port's destroy_work queue. It's not needed.\r\n\r\nThe problem is easily reproducible with the following steps.\r\n\r\nExample:\r\n\r\n  $ dmesg -w &\n  $ systemctl enable --now fcoe\n  $ fipvlan -s -c ens2f1\n  $ fcoeadm -d ens2f1.802\n  [  583.464488] host2: libfc: Link down on port (7500a1)\n  [  583.472651] bnx2fc: 7500a1 - rport not created Yet!!\n  [  583.490468] ------------[ cut here ]------------\n  [  583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0'\n  [  583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80\n  [  583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...\n  [  583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1\n  [  583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n  [  584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]\n  [  584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80\n  [  584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...\n  [  584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282\n  [  584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000\n  [  584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0\n  [  584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00\n  [  584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400\n  [  584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004\n  [  584.355379] FS:  0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000\n  [  584.394419] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [  584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0\n  [  584.454888] Call Trace:\n  [  584.466108]  device_del+0xb2/0x3e0\n  [  584.481701]  device_unregister+0x13/0x60\n  [  584.501306]  bsg_unregister_queue+0x5b/0x80\n  [  584.522029]  bsg_remove_queue+0x1c/0x40\n  [  584.541884]  fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]\n  [  584.573823]  process_one_work+0x1e3/0x3b0\n  [  584.592396]  worker_thread+0x50/0x3b0\n  [  584.609256]  ? rescuer_thread+0x370/0x370\n  [  584.628877]  kthread+0x149/0x170\n  [  584.643673]  ? set_kthread_struct+0x40/0x40\n  [  584.662909]  ret_from_fork+0x22/0x30\n  [  584.680002] ---[ end trace 53575ecefa942ece ]---(CVE-2022-48758)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: lgdt3306a: Add a check against null-pointer-def\r\n\r\nThe driver should check whether the client provides the platform_data.\r\n\r\nThe following log reveals it:\r\n\r\n[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[   29.612820] Call Trace:\n[   29.613030]  <TASK>\n[   29.613201]  dump_stack_lvl+0x56/0x6f\n[   29.613496]  ? kmemdup+0x30/0x40\n[   29.613754]  print_report.cold+0x494/0x6b7\n[   29.614082]  ? kmemdup+0x30/0x40\n[   29.614340]  kasan_report+0x8a/0x190\n[   29.614628]  ? kmemdup+0x30/0x40\n[   29.614888]  kasan_check_range+0x14d/0x1d0\n[   29.615213]  memcpy+0x20/0x60\n[   29.615454]  kmemdup+0x30/0x40\n[   29.615700]  lgdt3306a_probe+0x52/0x310\n[   29.616339]  i2c_device_probe+0x951/0xa90(CVE-2022-48772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: sdio: fix possible resource leaks in some error paths\r\n\r\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\r\n\r\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\r\n\r\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\r\n\r\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\r\n\r\nunreferenced object 0xffff888112514000 (size 2048):\n  comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n  hex dump (first 32 bytes):\n    00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff  ..o.....`X......\n    10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff  .@Q......@Q.....\n  backtrace:\n    [<000000009e5931da>] kmalloc_trace+0x21/0x110\n    [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n    [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n    [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n    [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\r\n\r\nunreferenced object 0xffff888112511000 (size 2048):\n  comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n  hex dump (first 32 bytes):\n    00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff  .@Q......X......\n    10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff  ..Q.......Q.....\n  backtrace:\n    [<000000009e5931da>] kmalloc_trace+0x21/0x110\n    [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n    [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n    [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core](CVE-2023-52730)\r\n\r\nIn the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.(CVE-2024-23848)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\r\n\r\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\r\n\r\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\r\n\r\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\r\n\r\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\r\n\r\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\r\n\r\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\r\n\r\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\r\n\r\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_skbmod: prevent kernel-infoleak\r\n\r\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\r\n\r\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\r\n\r\nWe need to clear the structure before filling fields.\r\n\r\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  copy_to_iter include/linux/uio.h:196 [inline]\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n  __do_sys_recvfrom net/socket.c:2260 [inline]\n  __se_sys_recvfrom net/socket.c:2256 [inline]\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was stored to memory at:\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n  __sys_sendmsg net/socket.c:2667 [inline]\n  __do_sys_sendmsg net/socket.c:2676 [inline]\n  __se_sys_sendmsg net/socket.c:2674 [inline]\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was stored to memory at:\n  __nla_put lib/nlattr.c:1041 [inline]\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---(CVE-2024-35893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\r\n\r\nsyzbot reported the following uninit-value access issue [1][2]:\r\n\r\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\r\n\r\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.(CVE-2024-35915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/arm/malidp: fix a possible null pointer dereference\r\n\r\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namd/amdkfd: sync all devices to wait all processes being evicted\r\n\r\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.(CVE-2024-36949)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\r\n\r\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\r\n\r\n  alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n  ...\n  delivered_ce <<= (10 - dctcp_shift_g);\r\n\r\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\r\n\r\n  memcpy((void*)0x20000080,\n         \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n                /*flags=*/2ul, /*mode=*/0ul);\n  memcpy((void*)0x20000000, \"100\\000\", 4);\n  syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\r\n\r\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\r\n\r\nWith this patch:\r\n\r\n  # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  10\n  # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  -bash: echo: write error: Invalid argument\r\n\r\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: vc4: Fix possible null pointer dereference\r\n\r\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38546)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\r\n\r\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.(CVE-2024-38553)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issue of net_device\r\n\r\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\r\n\r\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: qedf: Ensure the copied buf is NUL terminated\r\n\r\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.(CVE-2024-38559)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\necryptfs: Fix buffer size for tag 66 packet\r\n\r\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\r\n\r\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\r\n\r\nThis fixes the below kasan slab-out-of-bounds bug:\r\n\r\n  BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n  Write of size 1 at addr ffff88800afbb2a5 by task touch/181\r\n\r\n  CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x4c/0x70\n   print_report+0xc5/0x610\n   ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n   ? kasan_complete_mode_report_info+0x44/0x210\n   ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n   kasan_report+0xc2/0x110\n   ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n   __asan_store1+0x62/0x80\n   ecryptfs_generate_key_packet_set+0x7d6/0xde0\n   ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n   ? __alloc_pages+0x2e2/0x540\n   ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n   ? dentry_open+0x8f/0xd0\n   ecryptfs_write_metadata+0x30a/0x550\n   ? __pfx_ecryptfs_write_metadata+0x10/0x10\n   ? ecryptfs_get_lower_file+0x6b/0x190\n   ecryptfs_initialize_file+0x77/0x150\n   ecryptfs_create+0x1c2/0x2f0\n   path_openat+0x17cf/0x1ba0\n   ? __pfx_path_openat+0x10/0x10\n   do_filp_open+0x15e/0x290\n   ? __pfx_do_filp_open+0x10/0x10\n   ? __kasan_check_write+0x18/0x30\n   ? _raw_spin_lock+0x86/0xf0\n   ? __pfx__raw_spin_lock+0x10/0x10\n   ? __kasan_check_write+0x18/0x30\n   ? alloc_fd+0xf4/0x330\n   do_sys_openat2+0x122/0x160\n   ? __pfx_do_sys_openat2+0x10/0x10\n   __x64_sys_openat+0xef/0x170\n   ? __pfx___x64_sys_openat+0x10/0x10\n   do_syscall_64+0x60/0xd0\n   entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n  RIP: 0033:0x7f00a703fd67\n  Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n  RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n  RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n  RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n  RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n  R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n  R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n   </TASK>\r\n\r\n  Allocated by task 181:\n   kasan_save_stack+0x2f/0x60\n   kasan_set_track+0x29/0x40\n   kasan_save_alloc_info+0x25/0x40\n   __kasan_kmalloc+0xc5/0xd0\n   __kmalloc+0x66/0x160\n   ecryptfs_generate_key_packet_set+0x6d2/0xde0\n   ecryptfs_write_metadata+0x30a/0x550\n   ecryptfs_initialize_file+0x77/0x150\n   ecryptfs_create+0x1c2/0x2f0\n   path_openat+0x17cf/0x1ba0\n   do_filp_open+0x15e/0x290\n   do_sys_openat2+0x122/0x160\n   __x64_sys_openat+0xef/0x170\n   do_syscall_64+0x60/0xd0\n   entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2024-38578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: bcm - Fix pointer arithmetic\r\n\r\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential hang in nilfs_detach_log_writer()\r\n\r\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\r\n\r\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\r\n\r\nnilfs_detach_log_writer\n  nilfs_segctor_destroy\n    nilfs_segctor_kill_thread  --> Shut down log writer thread\n    flush_work\n      nilfs_iput_work_func\n        nilfs_dispose_list\n          iput\n            nilfs_evict_inode\n              nilfs_transaction_commit\n                nilfs_construct_segment (if inode needs sync)\n                  nilfs_segctor_sync  --> Attempt to synchronize with\n                                          log writer thread\n                           *** DEADLOCK ***\r\n\r\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\r\n\r\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix use-after-free of timer for log writer thread\r\n\r\nPatch series \"nilfs2: fix log writer related issues\".\r\n\r\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis.  Details are described in each commit log.\r\n\r\n\nThis patch (of 3):\r\n\r\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\r\n\r\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\r\n\r\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: timer: Set lower bound of start tick time\r\n\r\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer.  Such a situation may lead to an unexpected RCU stall,\nwhere  the callback repeatedly queuing the expire update, as reported\nby fuzzer.\r\n\r\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.(CVE-2024-38618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Update uart_driver_registered on driver removal\r\n\r\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\r\n\r\n  max3100 spi-PRP0001:01: max3100_probe: adding port 0\n  BUG: kernel NULL pointer dereference, address: 0000000000000408\n  ...\n  RIP: 0010:serial_core_register_port+0xa0/0x840\n  ...\n   max3100_probe+0x1b6/0x280 [max3100]\n   spi_probe+0x8d/0xb0\r\n\r\nUpdate the actual state so next time UART driver will be registered\nagain.\r\n\r\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\r\n\r\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\r\n\r\n  WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n  ...\n  Workqueue: max3100-0 max3100_work [max3100]\n  RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n  ...\n   max3100_handlerx+0xc5/0x110 [max3100]\n   max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngreybus: lights: check return of get_channel_from_mode\r\n\r\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\r\n\r\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nenic: Validate length of nl attributes in enic_set_vf_port\r\n\r\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.(CVE-2024-38659)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\r\n\r\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\r\n\r\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/9p: fix uninit-value in p9_client_rpc()\r\n\r\nSyzbot with the help of KMSAN reported the following error:\r\n\r\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\r\n\r\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)",
+    "cves": [
+      {
+        "id": "CVE-2024-39301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1481": {
+    "id": "openEuler-SA-2024-1481",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1481",
+    "title": "An update for llvm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "LLVM is a compiler infrastructure designed for compile-time, link-time, runtime, and idle-time optimization of programs from arbitrary programming languages.\r\n\r\nSecurity Fix(es):\r\n\r\nLLVM 15.0.0 has a NULL pointer dereference in the parseOneMetadata() function via a crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto. NOTE: this is disputed because the relationship between pdflatex.fmt and any LLVM language front end is not explained, and because a crash of the llvm-lto application should be categorized as a usability problem.(CVE-2023-46049)",
+    "cves": [
+      {
+        "id": "CVE-2023-46049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46049",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1852": {
+    "id": "openEuler-SA-2023-1852",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1852",
+    "title": "An update for shadow is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Tools for managing accounts and shadow password files.\r\n\r\nSecurity Fix(es):\r\n\r\nshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees(CVE-2013-4235)",
+    "cves": [
+      {
+        "id": "CVE-2013-4235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1296": {
+    "id": "openEuler-SA-2023-1296",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1296",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.(CVE-2023-24607)",
+    "cves": [
+      {
+        "id": "CVE-2023-24607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2116": {
+    "id": "openEuler-SA-2022-2116",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2116",
+    "title": "An update for dbus-broker is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in dbus-broker before 31. It depends on c-uitl/c-shquote to parse the DBus service's Exec line. c-shquote contains a stack-based buffer over-read if a malicious Exec line is supplied.(CVE-2022-31212)\r\n\r\nAn issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.(CVE-2022-31213)",
+    "cves": [
+      {
+        "id": "CVE-2022-31213",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31213",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1581": {
+    "id": "openEuler-SA-2022-1581",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1581",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.(CVE-2021-21708)",
+    "cves": [
+      {
+        "id": "CVE-2021-21708",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21708",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1890": {
+    "id": "openEuler-SA-2022-1890",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1890",
+    "title": "An update for virglrenderer is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The virgil3d rendering library is a library used by qemu to implement 3D GPU support for the virtio GPU.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution.(CVE-2022-0135)",
+    "cves": [
+      {
+        "id": "CVE-2022-0135",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0135",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1564": {
+    "id": "openEuler-SA-2022-1564",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1564",
+    "title": "An update for mosquitto is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.(CVE-2021-34432)",
+    "cves": [
+      {
+        "id": "CVE-2021-34432",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34432",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1941": {
+    "id": "openEuler-SA-2022-1941",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1941",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).(CVE-2022-0322)\r\n\r\nA vulnerability was found in the Linux kernel. This flaw allows an unprivileged local user to panic the system, resulting in a denial of service by calling setsockopt(2) with specially crafted arguments. The highest threat from this vulnerability is to system availability.(CVE-2021-3894)\n\nA NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.(CVE-2022-3202)",
+    "cves": [
+      {
+        "id": "CVE-2022-3202",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3202",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1173": {
+    "id": "openEuler-SA-2021-1173",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1173",
+    "title": "An update for tar is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.(CVE-2021-20193)",
+    "cves": [
+      {
+        "id": "CVE-2021-20193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20193",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1178": {
+    "id": "openEuler-SA-2021-1178",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1178",
+    "title": "An update for python-lxml is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. It is unique in that it combines the speed and XML feature completeness of these libraries with the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. The latest release works with all CPython versions from 2.7 to 3.7.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.(CVE-2021-28957)",
+    "cves": [
+      {
+        "id": "CVE-2021-28957",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28957",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1475": {
+    "id": "openEuler-SA-2023-1475",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1475",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.(CVE-2023-0664)\r\n\r\nA flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.(CVE-2023-2861)",
+    "cves": [
+      {
+        "id": "CVE-2023-2861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1544": {
+    "id": "openEuler-SA-2023-1544",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1544",
+    "title": "An update for yasm is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\n\nSecurity Fix(es):\n\nyasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975)",
+    "cves": [
+      {
+        "id": "CVE-2023-31975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1251": {
+    "id": "openEuler-SA-2024-1251",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1251",
+    "title": "An update for cri-o is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.\r\n\r\nSecurity Fix(es):\r\n\r\nIncorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.(CVE-2022-2995)",
+    "cves": [
+      {
+        "id": "CVE-2022-2995",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2995",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1758": {
+    "id": "openEuler-SA-2024-1758",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1758",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue.\n(CVE-2024-35235)",
+    "cves": [
+      {
+        "id": "CVE-2024-35235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35235",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1739": {
+    "id": "openEuler-SA-2024-1739",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1739",
+    "title": "An update for ntfs-3g is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "NTFS-3G is a stable, open source, GPL licensed, POSIX, read/write NTFS driver for Linux and many other operating systems. It provides safe handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 NTFS file systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNTFS-3G before 75dcdc2 has a use-after-free in ntfs_uppercase_mbs in libntfs-3g/unistr.c. NOTE: discussion suggests that exploitation would be challenging.(CVE-2023-52890)",
+    "cves": [
+      {
+        "id": "CVE-2023-52890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52890",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1345": {
+    "id": "openEuler-SA-2023-1345",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1345",
+    "title": "An update for libcap is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.(CVE-2023-2602)\r\n\r\nA vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.(CVE-2023-2603)",
+    "cves": [
+      {
+        "id": "CVE-2023-2603",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1417": {
+    "id": "openEuler-SA-2023-1417",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1417",
+    "title": "An update for pki-core is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Dogtag PKI is a designed  enterprise software system manage enterprise Public Key Infrastructure deployments.\n\nSecurity Fix(es):\n\nAccess to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.(CVE-2022-2414)",
+    "cves": [
+      {
+        "id": "CVE-2022-2414",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2414",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1834": {
+    "id": "openEuler-SA-2024-1834",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1834",
+    "title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)",
+    "cves": [
+      {
+        "id": "CVE-2021-28429",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1788": {
+    "id": "openEuler-SA-2022-1788",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1788",
+    "title": "An update for flatpak-builder is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Flatpak-builder is a tool for building flatpaks from sources.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to 1.12.3 and 1.10.6. flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak 1.12.3 and 1.10.6 by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`.(CVE-2022-21682)",
+    "cves": [
+      {
+        "id": "CVE-2022-21682",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21682",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1098": {
+    "id": "openEuler-SA-2024-1098",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1098",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \\ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.   %package -n python3-pillow Summary:        Python 3 image processing library  Provides:       python3-imaging = -\r\n\r\nSecurity Fix(es):\r\n\r\nPillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).(CVE-2023-50447)",
+    "cves": [
+      {
+        "id": "CVE-2023-50447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50447",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1713": {
+    "id": "openEuler-SA-2024-1713",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1713",
+    "title": "An update for python-Flask-Cors is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible.\r\n\r\nSecurity Fix(es):\r\n\r\ncorydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.(CVE-2024-1681)",
+    "cves": [
+      {
+        "id": "CVE-2024-1681",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1681",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1635": {
+    "id": "openEuler-SA-2024-1635",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1635",
+    "title": "An update for mysql is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).  Supported versions that are affected are 8.0.36 and prior and  8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2024-21087)",
+    "cves": [
+      {
+        "id": "CVE-2024-21087",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21087",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1107": {
+    "id": "openEuler-SA-2021-1107",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1107",
+    "title": "An update for glib2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.(CVE-2021-27218)\r\n\r\nAn issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.(CVE-2021-27219)",
+    "cves": [
+      {
+        "id": "CVE-2021-27219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27219",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1383": {
+    "id": "openEuler-SA-2021-1383",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1383",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.(CVE-2021-23437)",
+    "cves": [
+      {
+        "id": "CVE-2021-23437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23437",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1517": {
+    "id": "openEuler-SA-2024-1517",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1517",
+    "title": "An update for perl-Mojolicious is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Back in the early days of the web there was this wonderful Perl library called CGI, many people only learned Perl because of it. It was simple enough to get started without knowing much about the language and powerful enough to keep you going, learning by doing was much fun. While most of the techniques used are outdated now, the idea behind it is not. Mojolicious is a new attempt at implementing this idea using state of the art technology.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Mojolicious module before 8.65 for Perl is vulnerable to secure_compare timing attacks that allow an attacker to guess the length of a secret string. Only versions after 1.74 are affected.(CVE-2020-36829)\r\n\r\nThe Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.(CVE-2021-47208)",
+    "cves": [
+      {
+        "id": "CVE-2021-47208",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47208",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1197": {
+    "id": "openEuler-SA-2021-1197",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1197",
+    "title": "An update for openvpn is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations,  including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing,  failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security,  OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-adapted for the SME and enterprise markets.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.(CVE-2020-15078)",
+    "cves": [
+      {
+        "id": "CVE-2020-15078",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15078",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1618": {
+    "id": "openEuler-SA-2023-1618",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1618",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22036)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1570": {
+    "id": "openEuler-SA-2024-1570",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1570",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nl2tp: pass correct message length to ip6_append_data\r\n\r\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\r\n\r\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\r\n\r\nHowever, the code which performed the calculation was incorrect:\r\n\r\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\r\n\r\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\r\n\r\nAdd parentheses to correct the calculation in line with the original\nintent.(CVE-2024-26752)",
+    "cves": [
+      {
+        "id": "CVE-2024-26752",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1162": {
+    "id": "openEuler-SA-2024-1162",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1162",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2(CVE-2024-25617)",
+    "cves": [
+      {
+        "id": "CVE-2024-25617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25617",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1668": {
+    "id": "openEuler-SA-2024-1668",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1668",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\\x00), testing a blank string as the password via password_verify() will incorrectly return true.\r\n\r\n(CVE-2024-3096)",
+    "cves": [
+      {
+        "id": "CVE-2024-3096",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3096",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1483": {
+    "id": "openEuler-SA-2022-1483",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1483",
+    "title": "An update for resteasy is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Framework for RESTful Web services and Java applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.(CVE-2020-1695)",
+    "cves": [
+      {
+        "id": "CVE-2020-1695",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1695",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2108": {
+    "id": "openEuler-SA-2022-2108",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2108",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package contains the header files and documentation necessary for developing programs which will manipulate TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.(CVE-2022-3970)",
+    "cves": [
+      {
+        "id": "CVE-2022-3970",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3970",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1510": {
+    "id": "openEuler-SA-2022-1510",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1510",
+    "title": "An update for wpa_supplicant is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop/laptop computers and embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.\r\n\r\nSecurity Fix(es):\r\n\r\nThe implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.(CVE-2022-23304)\r\n\r\nThe implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.(CVE-2022-23303)",
+    "cves": [
+      {
+        "id": "CVE-2022-23303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23303",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1586": {
+    "id": "openEuler-SA-2024-1586",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1586",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.(CVE-2024-31047)",
+    "cves": [
+      {
+        "id": "CVE-2024-31047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31047",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1423": {
+    "id": "openEuler-SA-2024-1423",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1423",
+    "title": "An update for flatpak is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)",
+    "cves": [
+      {
+        "id": "CVE-2023-28101",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28101",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1654": {
+    "id": "openEuler-SA-2022-1654",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1654",
+    "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.(CVE-2022-29155)",
+    "cves": [
+      {
+        "id": "CVE-2022-29155",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29155",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1992": {
+    "id": "openEuler-SA-2022-1992",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1992",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer. Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\r\n\r\nSecurity Fix(es):\r\n\r\nInfinite loop in the F5 Ethernet Trailer protocol dissector in Wireshark 3.6.0 to 3.6.7 and 3.4.0 to 3.4.15 allows denial of service via packet injection or crafted capture file(CVE-2022-3190)",
+    "cves": [
+      {
+        "id": "CVE-2022-3190",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3190",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1031": {
+    "id": "openEuler-SA-2024-1031",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1031",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nopeneuler-linux-kernel-4.19.0-cbs_destroy-NULL-ptr-deref-391216(CVE-2021-33630)\r\n\r\nopeneuler-linux-kernel-5.10.149-ext4_write_inline_data-kernel_bug-365020(CVE-2021-33631)\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nAn out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\r\n\r\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\r\n\r\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\r\n\r\n(CVE-2023-6931)",
+    "cves": [
+      {
+        "id": "CVE-2023-6931",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6931",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1266": {
+    "id": "openEuler-SA-2024-1266",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1266",
+    "title": "An update for glusterfs is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over TCP/IP interconnect into one large parallel network filesystem. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility. It borrows a powerful concept called Translators from GNU Hurd kernel. Much of the code in GlusterFS is in user space and easily manageable.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.(CVE-2022-48340)",
+    "cves": [
+      {
+        "id": "CVE-2022-48340",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1844": {
+    "id": "openEuler-SA-2023-1844",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1844",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.(CVE-2022-45884)\r\n\r\nRejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-35823. Reason: This candidate is a reservation duplicate of CVE-2023-35823. Notes: All CVE users should reference CVE-2023-35823 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2023-3327)\r\n\r\nA race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.(CVE-2023-39198)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\r\n\r\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\r\n\r\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\r\n\r\n(CVE-2023-4623)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nAddition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.\r\n\r\nWe recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.\r\n\r\n(CVE-2023-5197)",
+    "cves": [
+      {
+        "id": "CVE-2023-5197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1727": {
+    "id": "openEuler-SA-2024-1727",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1727",
+    "title": "An update for wireshark is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nMemory handling issue in editcap could cause denial of service via crafted capture file(CVE-2024-4853)\r\n\r\nMONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file(CVE-2024-4854)\r\n\r\nUse after free issue in editcap could cause denial of service via crafted capture file(CVE-2024-4855)",
+    "cves": [
+      {
+        "id": "CVE-2024-4855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4855",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1684": {
+    "id": "openEuler-SA-2022-1684",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1684",
+    "title": "An update for maven-shared-utils is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package can be the functional replacement of plexus-utils in Maven. At the same time, the package has many hightlights, such as: a lot of methods got cleaned up, generics got added and a lot of unused code dropped.\n\nSecurity Fix(es):\n\nIn Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.(CVE-2022-29599)",
+    "cves": [
+      {
+        "id": "CVE-2022-29599",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1052": {
+    "id": "openEuler-SA-2024-1052",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1052",
+    "title": "An update for netdata is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "netdata is the fastest way to visualize metrics. It is a resource efficient, highly optimized system for collecting and visualizing any type of realtime time-series data, from CPU usage, disk activity, SQL queries, API calls, web site visitors, etc. netdata tries to visualize the truth of now, in its greatest detail, so that you can get insights of what is happening now and what just happened, on your systems and applications.\r\n\r\nSecurity Fix(es):\r\n\r\nNetdata is an open source option for real-time infrastructure monitoring and troubleshooting. An attacker with the ability to establish a streaming connection can execute arbitrary commands on the targeted Netdata agent. When an alert is triggered, the function `health_alarm_execute` is called. This function performs different checks and then enqueues a command by calling `spawn_enq_cmd`. This command is populated with several arguments that are not sanitized. One of them is the `registry_hostname` of the node for which the alert is raised. By providing a specially crafted `registry_hostname` as part of the health data that is streamed to a Netdata (parent) agent, an attacker can execute arbitrary commands at the remote host as a side-effect of the raised alert. Note that the commands are executed as the user running the Netdata Agent. This user is usually named `netdata`. The ability to run arbitrary commands may allow an attacker to escalate privileges by escalating other vulnerabilities in the system, as that user. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, streaming is not enabled by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.(CVE-2023-22496)\r\n\r\nNetdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via `stream.conf`. On the parent side, users configure in `stream.conf` an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users who expose their Netdata Agents (children) to non-trusted users and they also expose to the same users Netdata Agent parents that aggregate data from all these children. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.(CVE-2023-22497)",
+    "cves": [
+      {
+        "id": "CVE-2023-22497",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22497",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1159": {
+    "id": "openEuler-SA-2024-1159",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1159",
+    "title": "An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on.\r\n\r\nSecurity Fix(es):\r\nIn versions 1.3.0-1.4.1 of the ceres software package, the execute_shell_command function does not properly verify or filter the command or subcommand parameters entered by users. This allows an attacker to exploit the vulnerability by injecting malicious code and execute arbitrary commands locally. Attackers can exploit this vulnerability to perform unauthorized operations, which may cause severe security threats and losses to the system.(CVE-2021-33633)",
+    "cves": [
+      {
+        "id": "CVE-2021-33633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1698": {
+    "id": "openEuler-SA-2022-1698",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1698",
+    "title": "An update for webkit2gtk3 is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "WebKitGTK is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. This package contains WebKit2 based WebKitGTK+ for GTK+ 3.\r\n\r\nSecurity Fix(es):\r\n\r\nIn WebKitGTK through 2.36.0 (and WPE WebKit), there is a use-after-free in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.(CVE-2022-30294)\r\n\r\nIn WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.(CVE-2022-30293)",
+    "cves": [
+      {
+        "id": "CVE-2022-30293",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30293",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1196": {
+    "id": "openEuler-SA-2023-1196",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1196",
+    "title": "An update for curl is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL` level.(CVE-2023-27535)\r\n\r\nlibcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2023-27538)\r\n\r\nlibcurl would reuse a previously created connection even when the GSS delegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.(CVE-2023-27536)\r\n\r\ncurl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and \"telnet options\" for the server\nnegotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.(CVE-2023-27533)\r\n\r\ncurl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed\nto-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite suprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse.(CVE-2023-27534)",
+    "cves": [
+      {
+        "id": "CVE-2023-27534",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27534",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1306": {
+    "id": "openEuler-SA-2023-1306",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1306",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.(CVE-2023-1667)\r\n\r\nA vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.(CVE-2023-2283)",
+    "cves": [
+      {
+        "id": "CVE-2023-2283",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2283",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1543": {
+    "id": "openEuler-SA-2022-1543",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1543",
+    "title": "An update for nodejs-getobject is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Get and set deep objects easily.\r\n\r\nSecurity Fix(es):\r\n\r\nPrototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.(CVE-2020-28282)",
+    "cves": [
+      {
+        "id": "CVE-2020-28282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1910": {
+    "id": "openEuler-SA-2022-1910",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1910",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.(CVE-2022-2938)\n\nA use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.(CVE-2022-2586)",
+    "cves": [
+      {
+        "id": "CVE-2022-2586",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2586",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1581": {
+    "id": "openEuler-SA-2024-1581",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1581",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1665": {
+    "id": "openEuler-SA-2023-1665",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1665",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nCalling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537)",
+    "cves": [
+      {
+        "id": "CVE-2023-24537",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1496": {
+    "id": "openEuler-SA-2022-1496",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1496",
+    "title": "An update for sphinx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Sphinx is a full-text search engine, distributed under GPL version 2. Commercial licensing (e.g. for embedded use) is also available upon request. Generally, it's a standalone search engine, meant to provide fast, size-efficient and relevant full-text search functions to other applications. Sphinx was specially designed to integrate well with SQL databases and scripting languages. Currently built-in data source drivers support fetching data either via direct connection to MySQL, or PostgreSQL, or from a pipe in a custom XML format. Adding new drivers (e.g. native support other DBMSes) is designed to be as easy as possible. Search API native ported to PHP, Python, Perl, Ruby, Java, and also available as a plug-gable MySQL storage engine. API is very lightweight so porting it to new language is known to take a few hours. As for the name, Sphinx is an acronym which is officially decoded as SQL Phrase Index. Yes, I know about CMU's Sphinx project.\r\n\r\nSecurity Fix(es):\r\n\r\nSphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx.(CVE-2020-29050)",
+    "cves": [
+      {
+        "id": "CVE-2020-29050",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29050",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1263": {
+    "id": "openEuler-SA-2023-1263",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1263",
+    "title": "An update for screen is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Screen is a full-screen window manager that multiplexes a physical terminal between several processes,typically interactive shells.\r\n\r\nSecurity Fix(es):\r\n\r\nsocket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.(CVE-2023-24626)",
+    "cves": [
+      {
+        "id": "CVE-2023-24626",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24626",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1007": {
+    "id": "openEuler-SA-2023-1007",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1007",
+    "title": "An update for curl is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and shut down the code path in its transfer.(CVE-2022-43552)\r\n\r\nA vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.(CVE-2022-43551)",
+    "cves": [
+      {
+        "id": "CVE-2022-43551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43551",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1203": {
+    "id": "openEuler-SA-2023-1203",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1203",
+    "title": "An update for json-smart is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Json-smart is a performance focused, JSON processor lib.\r\n\r\nSecurity Fix(es):\r\n\r\n[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.(CVE-2023-1370)",
+    "cves": [
+      {
+        "id": "CVE-2023-1370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1081": {
+    "id": "openEuler-SA-2021-1081",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1081",
+    "title": "An update for spice-vdagent is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "spice-vdagent is an optional component for enhancing user experience and performing guest-oriented management tasks. Its features includes: client mouse mode (no need to grab mouse by client, no mouse lag), automatic adjustment of screen resolution, copy and paste (text and image) between client and domU. It also requires vdagent service installed on domU o.s. to work. The default is 0.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.(CVE-2020-25653)\r\n\r\nA flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and prior.(CVE-2020-25652)\r\n\r\nA flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions.(CVE-2020-25650)\r\n\r\nA flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.(CVE-2020-25651)",
+    "cves": [
+      {
+        "id": "CVE-2020-25651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1257": {
+    "id": "openEuler-SA-2023-1257",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1257",
+    "title": "An update for haproxy is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.(CVE-2023-25950)",
+    "cves": [
+      {
+        "id": "CVE-2023-25950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25950",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1499": {
+    "id": "openEuler-SA-2023-1499",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1499",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.(CVE-2023-29404)\r\n\r\nThe go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.(CVE-2023-29405)\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1333": {
+    "id": "openEuler-SA-2021-1333",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1333",
+    "title": "An update for haproxy is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.(CVE-2021-39240)\r\n\r\nAn issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the \"GET /admin? HTTP/1.1 /static/images HTTP/1.1\" example.(CVE-2021-39241)\r\n\r\nAn issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.(CVE-2021-39242)",
+    "cves": [
+      {
+        "id": "CVE-2021-39242",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39242",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1962": {
+    "id": "openEuler-SA-2022-1962",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1962",
+    "title": "An update for htslib is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "HTSlib is an implementation of a unified C library for accessing common file  formats, such as SAM, CRAM and VCF, used for high-throughput sequencing data,  and is the core library used by samtools and bcftools. HTSlib only depends on  zlib. It is known to be compatible with gcc, g++ and clang. HTSlib implements a generalized BAM index, with file extension .csi ( coordinate-sorted index). The HTSlib file reader first looks for the new index and then for the old if the new index is absent.\r\n\r\nSecurity Fix(es):\r\n\r\nHTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).(CVE-2020-36403)",
+    "cves": [
+      {
+        "id": "CVE-2020-36403",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36403",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1733": {
+    "id": "openEuler-SA-2024-1733",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1733",
+    "title": "An update for tracker3-miners is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Tracker is an efficient search engine and for desktop, embedded and mobile.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.(CVE-2023-5557)",
+    "cves": [
+      {
+        "id": "CVE-2023-5557",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5557",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1155": {
+    "id": "openEuler-SA-2023-1155",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1155",
+    "title": "An update for apache-commons-fileupload is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The javax.servlet package lacks support for RFC-1867, HTML file upload.  This package provides a simple to use API for working with such data.  The scope of this package is to create a package of Java utility classes to read multipart/form-data within a javax.servlet.http.HttpServletRequest.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.(CVE-2023-24998)",
+    "cves": [
+      {
+        "id": "CVE-2023-24998",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2038": {
+    "id": "openEuler-SA-2022-2038",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2038",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nThe DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet.\r\n\r\nAffects - All versions of Samba since Samba 4.0 compiled with Heimdal Kerberos.\nSamba 4.15.11, 4.16.6 and 4.17.2 have been issued as security releases to correct the defect\r\n\r\nhttps://www.samba.org/samba/security/CVE-2022-3437.html(CVE-2022-3437)",
+    "cves": [
+      {
+        "id": "CVE-2022-3437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1082": {
+    "id": "openEuler-SA-2023-1082",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1082",
+    "title": "An update for golang is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.(CVE-2022-41717)",
+    "cves": [
+      {
+        "id": "CVE-2022-41717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1062": {
+    "id": "openEuler-SA-2024-1062",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1062",
+    "title": "An update for yasm is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\r\n\r\nSecurity Fix(es):\r\n\r\nyasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975)",
+    "cves": [
+      {
+        "id": "CVE-2023-31975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1556": {
+    "id": "openEuler-SA-2024-1556",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1556",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.(CVE-2023-6478)\r\n\r\nA flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.(CVE-2023-6816)\r\n\r\nA flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.(CVE-2024-0408)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31080)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31081)",
+    "cves": [
+      {
+        "id": "CVE-2024-31081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1790": {
+    "id": "openEuler-SA-2022-1790",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1790",
+    "title": "An update for python-lxml is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. \\ It is unique in that it combines the speed and XML feature completeness of these libraries with \\ the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. \\ The latest release works with all CPython versions from 2.7 to 3.7.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.(CVE-2022-2309)",
+    "cves": [
+      {
+        "id": "CVE-2022-2309",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2309",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1831": {
+    "id": "openEuler-SA-2022-1831",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1831",
+    "title": "An update for game-music-emu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Game_Music_Emu is a collection of video game music file simulators that supports the following formats and systems:\r\n\r\nSecurity Fix(es):\r\n\r\nThe Mem_File_Reader::read_avail function in Data_Reader.cpp in the Game_Music_Emu library (aka game-music-emu) 0.6.1 does not ensure a non-negative size, which allows remote attackers to cause a denial of service (application crash) via a crafted file.(CVE-2017-17446)",
+    "cves": [
+      {
+        "id": "CVE-2017-17446",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17446",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1048": {
+    "id": "openEuler-SA-2024-1048",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1048",
+    "title": "An update for proftpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. %if 1 This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. %else This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. %endif\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1195": {
+    "id": "openEuler-SA-2021-1195",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1195",
+    "title": "An update for graphviz is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Graphviz is open source graph visualization software. Graph visualization is a way of representing structural information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics, software engineering, database and web design, machine learning, and in visual interfaces for other technical domains.\r\n\nSecurity Fix(es):\r\n\r\nBuffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the \"lib/common/shapes.c\" component.(CVE-2020-18032)",
+    "cves": [
+      {
+        "id": "CVE-2020-18032",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18032",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1605": {
+    "id": "openEuler-SA-2023-1605",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1605",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.(CVE-2023-28879)\r\n\r\nArtifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).(CVE-2023-36664)\r\n\r\nA buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559)",
+    "cves": [
+      {
+        "id": "CVE-2023-38559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38559",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1403": {
+    "id": "openEuler-SA-2021-1403",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1403",
+    "title": "An update for gnome-shell is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The GNOME Shell redefines user interactions with the GNOME desktop. In particular, it offers new paradigms for launching applications, accessing documents, and organizing open windows in GNOME. Later, it will introduce a new applets eco-system and offer new solutions for other desktop features, such as notifications and contacts management. The GNOME Shell is intended to replace functions handled by the GNOME Panel and by the window manager in previous versions of GNOME. The GNOME Shell has rich visual effects enabled by new graphical technologies.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions.(CVE-2019-3820)",
+    "cves": [
+      {
+        "id": "CVE-2019-3820",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3820",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1741": {
+    "id": "openEuler-SA-2024-1741",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1741",
+    "title": "An update for expat is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.\r\n\r\nSecurity Fix(es):\r\n\r\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.(CVE-2023-52425)",
+    "cves": [
+      {
+        "id": "CVE-2023-52425",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1285": {
+    "id": "openEuler-SA-2021-1285",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1285",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.(CVE-2019-12295)",
+    "cves": [
+      {
+        "id": "CVE-2019-12295",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12295",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1637": {
+    "id": "openEuler-SA-2023-1637",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1637",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\r\n\r\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\r\n\r\n(CVE-2023-4206)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nWhen fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.\r\n\r\n(CVE-2023-4207)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\r\n\r\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.\r\n\r\n(CVE-2023-4208)\r\n\r\nA use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\r\n\r\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\r\n\r\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\r\n\r\n(CVE-2023-4622)",
+    "cves": [
+      {
+        "id": "CVE-2023-4622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4622",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1375": {
+    "id": "openEuler-SA-2023-1375",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1375",
+    "title": "An update for dbus is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed.\n\nSecurity Fix(es):\n\nD-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.(CVE-2023-34969)",
+    "cves": [
+      {
+        "id": "CVE-2023-34969",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1033": {
+    "id": "openEuler-SA-2023-1033",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1033",
+    "title": "An update for byacc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Berkeley Yacc is an LALR(1) parser generator.  Berkeley Yacc has been made as compatible as possible with AT&T Yacc.  Berkeley Yacc can accept any input specification that conforms to the AT&T Yacc documentation.  Specifications that take advantage of undocumented features of AT&T Yacc will probably be rejected.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2021-33641)\r\n\r\nNo description is available for this CVE.(CVE-2021-33642)",
+    "cves": [
+      {
+        "id": "CVE-2021-33642",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33642",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1886": {
+    "id": "openEuler-SA-2023-1886",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1886",
+    "title": "An update for haproxy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nAn information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.(CVE-2023-0836)\r\n\r\nHAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.(CVE-2023-45539)",
+    "cves": [
+      {
+        "id": "CVE-2023-45539",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1645": {
+    "id": "openEuler-SA-2024-1645",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1645",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n(CVE-2024-28180)",
+    "cves": [
+      {
+        "id": "CVE-2024-28180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1691": {
+    "id": "openEuler-SA-2022-1691",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1691",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nNon-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-0002)\r\n\r\nIn the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.(CVE-2022-29582)\r\n\r\nA use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.(CVE-2022-1195)\r\n\r\nIn mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216481035References: Upstream kernel(CVE-2022-20008)\r\n\r\nDue to the small table perturb size, a memory leak flaw was found in the Linux kernel’s TCP source port generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and may cause a denial of service.(CVE-2022-1012)\r\n\r\nA flaw was found in the Linux kernel’s nfcmrvl_nci_unregister_dev() function. A race condition leads to a use-after-free issue when simulating the NFC device from the user space.(CVE-2022-1734)\r\n\r\nImproper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.(CVE-2022-29581)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.(CVE-2022-1516)",
+    "cves": [
+      {
+        "id": "CVE-2022-1516",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1516",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2045": {
+    "id": "openEuler-SA-2022-2045",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2045",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020.(CVE-2022-3523)\r\n\r\nA vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier VDB-211033 was assigned to this vulnerability.(CVE-2022-3535)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.(CVE-2022-3621)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function follow_page_pte of the file mm/gup.c of the component BPF. The manipulation leads to race condition. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211921 was assigned to this vulnerability.(CVE-2022-3623)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.(CVE-2022-3625)\r\n\r\nA vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.(CVE-2022-3635)\r\n\r\ndrivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.(CVE-2022-43750)\n\nA flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2022-2978)\n\nA vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.(CVE-2022-3629)\n\nVUL-0: CVE-2022-42432: kernel-source-rt,kernel-source-azure,kernel-source: nftables: leak of stale stack data to userspace via nf_osf_find()(CVE-2022-42432)\n\nA vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.(CVE-2022-3646)",
+    "cves": [
+      {
+        "id": "CVE-2022-3646",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3646",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1811": {
+    "id": "openEuler-SA-2022-1811",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1811",
+    "title": "An update for gdm is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNOME Display Manager is a system service that is responsible for providing graphical log-ins and managing local and remote displays, and if the session doesn't provide a display server, GDM will start the display server. It also provides initiate functionality for user-switching, so multiple users can be logged in at the same time.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.(CVE-2020-27837)",
+    "cves": [
+      {
+        "id": "CVE-2020-27837",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27837",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1129": {
+    "id": "openEuler-SA-2024-1129",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1129",
+    "title": "An update for pam is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "PAM (Pluggable Authentication Modules) is a system of libraries that handle the authentication tasks of applications (services) on the system.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Linux PAM. An unprivileged user that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir can place a FIFO there, and a subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block the attempt, causing a local denial of service.(CVE-2024-22365)",
+    "cves": [
+      {
+        "id": "CVE-2024-22365",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1178": {
+    "id": "openEuler-SA-2023-1178",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1178",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel(CVE-2023-20938)\r\n\r\nThere is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c(CVE-2023-0461)\r\n\r\nIn the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.(CVE-2023-26607)\r\n\r\nA flaw in the Linux Kernel found. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.\r\n\r\n\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb(CVE-2023-1075)\r\n\r\nA flaw found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.\nIt is known how to trigger this, which causes an OOB access, and a lock corruption.\r\n\r\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d(CVE-2023-1078)\r\n\r\nA flaw found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function.\nWhile it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability.\nThis would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a(CVE-2023-1076)\r\n\r\nIn the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.(CVE-2023-22995)\r\n\r\nA flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1118)\n\nIn the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.(CVE-2023-26545)",
+    "cves": [
+      {
+        "id": "CVE-2023-26545",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1550": {
+    "id": "openEuler-SA-2023-1550",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1550",
+    "title": "An update for microcode_ctl is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\n\nSecurity Fix(es):\n\nIncorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2022-33196)\n\nImproper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-38090)\n\nInformation exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982)",
+    "cves": [
+      {
+        "id": "CVE-2022-40982",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40982",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1632": {
+    "id": "openEuler-SA-2022-1632",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1632",
+    "title": "An update for lua is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.\r\n\r\nSecurity Fix(es):\r\n\r\nsinglevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.(CVE-2022-28805)\n\nLua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.(CVE-2021-44647)",
+    "cves": [
+      {
+        "id": "CVE-2021-44647",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1746": {
+    "id": "openEuler-SA-2024-1746",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1746",
+    "title": "An update for mozjs78 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "SpiderMonkey is the code-name for Mozilla Firefox's C++ implementation of JavaScript. It is intended to be embedded in other applications that provide host environments for JavaScript.\r\n\r\nSecurity Fix(es):\r\n\r\nCertain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22740)\r\n\r\nA local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.\r\n\r\n*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.\r\n\r\n(CVE-2023-29532)",
+    "cves": [
+      {
+        "id": "CVE-2023-29532",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29532",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1241": {
+    "id": "openEuler-SA-2023-1241",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1241",
+    "title": "An update for lua is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.(CVE-2021-45985)",
+    "cves": [
+      {
+        "id": "CVE-2021-45985",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1517": {
+    "id": "openEuler-SA-2023-1517",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1517",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of format (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw.(CVE-2023-39978)",
+    "cves": [
+      {
+        "id": "CVE-2023-39978",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39978",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1273": {
+    "id": "openEuler-SA-2023-1273",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1273",
+    "title": "An update for php is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.(CVE-2022-31629)",
+    "cves": [
+      {
+        "id": "CVE-2022-31629",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31629",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1261": {
+    "id": "openEuler-SA-2024-1261",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1261",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\r\n\r\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)",
+    "cves": [
+      {
+        "id": "CVE-2024-26595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1960": {
+    "id": "openEuler-SA-2022-1960",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1960",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35645)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35643)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).(CVE-2021-35640)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35644)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35647)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35641)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35646)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35642)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35648)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35575)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35622)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via MySQL Protcol to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35577)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2021-35621)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35637)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35636)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35632)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35639)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35628)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35634)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35635)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-35630)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35638)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-35633)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35631)\r\n\r\nVulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 1.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L).(CVE-2021-35618)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35623)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Error Handling). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35596)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2481)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35602)\r\n\r\nVulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).(CVE-2021-2471)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35591)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-35625)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35604)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35607)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-35624)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35626)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2479)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2478)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35608)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35627)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35610)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35546)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-35612)\r\n\r\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-35597)",
+    "cves": [
+      {
+        "id": "CVE-2021-35597",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35597",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1255": {
+    "id": "openEuler-SA-2024-1255",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1255",
+    "title": "An update for jsoup is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods.\r\n\r\nSecurity Fix(es):\r\n\r\njsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)(CVE-2022-36033)",
+    "cves": [
+      {
+        "id": "CVE-2022-36033",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36033",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1930": {
+    "id": "openEuler-SA-2022-1930",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1930",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package    help Summary:          Documents for  Buildarch:        noarch Requires:         man info Provides:         -javadoc = - Obsoletes:        -javadoc < - %description help Man pages and other related documents for .\r\n\r\nSecurity Fix(es):\r\n\r\nNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.(CVE-2021-43797)",
+    "cves": [
+      {
+        "id": "CVE-2021-43797",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1333": {
+    "id": "openEuler-SA-2023-1333",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1333",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157)",
+    "cves": [
+      {
+        "id": "CVE-2023-2157",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1678": {
+    "id": "openEuler-SA-2022-1678",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1678",
+    "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\nSecurity Fix(es):\r\n\r\nA flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.(CVE-2022-1122)",
+    "cves": [
+      {
+        "id": "CVE-2022-1122",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1122",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1498": {
+    "id": "openEuler-SA-2022-1498",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1498",
+    "title": "An update for mosquitto is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.(CVE-2021-41039)",
+    "cves": [
+      {
+        "id": "CVE-2021-41039",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41039",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1151": {
+    "id": "openEuler-SA-2021-1151",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1151",
+    "title": "An update for umoci is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Umoci modifies Open Container images. Umoci intends to be a complete manipulation tool for OCI images. In particular, it should be seen as a more end-user-focused version of the oci-image-tools provided by the OCI.\r\n\r\nSecurity Fix(es):\r\n\r\nOpen Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when \"umoci unpack\" or \"umoci raw unpack\" is used.(CVE-2021-29136)",
+    "cves": [
+      {
+        "id": "CVE-2021-29136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29136",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2161": {
+    "id": "openEuler-SA-2022-2161",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2161",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel(CVE-2022-20568)\r\n\r\nIn verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel(CVE-2022-20572)\n\nIn drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.(CVE-2022-41218)\n\nAn issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference.(CVE-2022-3115)\n\nAn issue was discovered in the Linux kernel through 5.16-rc6. free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free of WM8350_IRQ_CHG_FAST_RDY, which is registered in wm8350_init_charger().(CVE-2022-3111)\n\nAn issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().(CVE-2022-3108)",
+    "cves": [
+      {
+        "id": "CVE-2022-3108",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3108",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1742": {
+    "id": "openEuler-SA-2022-1742",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1742",
+    "title": "An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "libarchive is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats,including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use libarchive.\r\n\r\nSecurity Fix(es):\r\n\r\nLibarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.(CVE-2022-26280)",
+    "cves": [
+      {
+        "id": "CVE-2022-26280",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26280",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1726": {
+    "id": "openEuler-SA-2024-1726",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1726",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nMONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file(CVE-2024-4854)",
+    "cves": [
+      {
+        "id": "CVE-2024-4854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4854",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1365": {
+    "id": "openEuler-SA-2024-1365",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1365",
+    "title": "An update for rubygem-activestorage is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Attach cloud and local files in Rails applications.\r\n\r\nSecurity Fix(es):\r\n\r\nRails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.(CVE-2024-26144)",
+    "cves": [
+      {
+        "id": "CVE-2024-26144",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26144",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1985": {
+    "id": "openEuler-SA-2023-1985",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1985",
+    "title": "An update for hdf5 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433)\r\n\r\nReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809)",
+    "cves": [
+      {
+        "id": "CVE-2020-10809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1041": {
+    "id": "openEuler-SA-2024-1041",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1041",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004)\r\n\r\nA flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918)",
+    "cves": [
+      {
+        "id": "CVE-2023-6918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1070": {
+    "id": "openEuler-SA-2021-1070",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1070",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \\ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.(CVE-2020-35653)",
+    "cves": [
+      {
+        "id": "CVE-2020-35653",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35653",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1820": {
+    "id": "openEuler-SA-2022-1820",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1820",
+    "title": "An update for libdwarf is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libdwarf. A possible memory leak allows an attacker to input a specially crafted file, leading to a crash. The highest threat from this vulnerability is to system availability.(CVE-2020-27545)\n\nA flaw was found in libdwarf. A possible null pointer dereference vulnerability allows an attacker to input a specially crafted file, leading to a crash. The highest threat from this vulnerability is to system availability.(CVE-2020-28163)",
+    "cves": [
+      {
+        "id": "CVE-2020-28163",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28163",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1527": {
+    "id": "openEuler-SA-2022-1527",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1527",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.(CVE-2021-43400)",
+    "cves": [
+      {
+        "id": "CVE-2021-43400",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43400",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1505": {
+    "id": "openEuler-SA-2022-1505",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1505",
+    "title": "An update for uriparser is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The package is a strictly RFC 3986 compliant URI parsing library written in C89(\"ANSI C\"). uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party wrappers. uriparser is packaged in major distributions.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.(CVE-2021-46141)\r\n\r\nAn issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.(CVE-2021-46142)",
+    "cves": [
+      {
+        "id": "CVE-2021-46142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46142",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1435": {
+    "id": "openEuler-SA-2023-1435",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1435",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.(CVE-2023-1295)\n\nA heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n(CVE-2023-3090)\n\nA use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.(CVE-2023-3117)\n\nLinux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace(CVE-2023-31248)\n\nAn issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.(CVE-2023-3220)\n\nA flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.(CVE-2023-3338)\n\nA null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.(CVE-2023-3358)",
+    "cves": [
+      {
+        "id": "CVE-2023-3358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2159": {
+    "id": "openEuler-SA-2022-2159",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2159",
+    "title": "An update for libksba is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Libksba is a library to make the tasks of working with X.509 certificates,CMS data and related objects more easy. It provides a highlevel interface to the implemented protocols and presents the data in a consistent way.\r\n\r\nSecurity Fix(es):\r\n\r\nLibksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.(CVE-2022-47629)",
+    "cves": [
+      {
+        "id": "CVE-2022-47629",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47629",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1644": {
+    "id": "openEuler-SA-2023-1644",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1644",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1163": {
+    "id": "openEuler-SA-2024-1163",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1163",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680)",
+    "cves": [
+      {
+        "id": "CVE-2024-24680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1555": {
+    "id": "openEuler-SA-2023-1555",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1555",
+    "title": "An update for krb5 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.(CVE-2023-36054)",
+    "cves": [
+      {
+        "id": "CVE-2023-36054",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1108": {
+    "id": "openEuler-SA-2024-1108",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1108",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability.\n(CVE-2024-22211)",
+    "cves": [
+      {
+        "id": "CVE-2024-22211",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22211",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1846": {
+    "id": "openEuler-SA-2024-1846",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1846",
+    "title": "An update for openjpeg2 is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file.(CVE-2023-39328)",
+    "cves": [
+      {
+        "id": "CVE-2023-39328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1232": {
+    "id": "openEuler-SA-2023-1232",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1232",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.(CVE-2023-0922)",
+    "cves": [
+      {
+        "id": "CVE-2023-0922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0922",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1086": {
+    "id": "openEuler-SA-2023-1086",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1086",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.(CVE-2022-3707)\r\n\r\nA memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.(CVE-2023-0615)",
+    "cves": [
+      {
+        "id": "CVE-2023-0615",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0615",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1308": {
+    "id": "openEuler-SA-2023-1308",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1308",
+    "title": "An update for webkit2gtk3 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "WebKitGTK is a full-featured port of the WebKit rendering engine,suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. This package contains WebKit2 based WebKitGTK+ for GTK+ 3.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the webkitgtk package. An out of bounds read may be possible when processing malicious web content, which can lead to information disclosure.(CVE-2023-28204)",
+    "cves": [
+      {
+        "id": "CVE-2023-28204",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28204",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1916": {
+    "id": "openEuler-SA-2023-1916",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1916",
+    "title": "An update for varnish is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.(CVE-2022-45059)",
+    "cves": [
+      {
+        "id": "CVE-2022-45059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1868": {
+    "id": "openEuler-SA-2023-1868",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1868",
+    "title": "An update for gdb is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.(CVE-2023-39130)",
+    "cves": [
+      {
+        "id": "CVE-2023-39130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1615": {
+    "id": "openEuler-SA-2023-1615",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1615",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2023-3865)\r\n\r\n(CVE-2023-3866)\r\n\r\nA use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4132)\r\n\r\nA flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.(CVE-2023-4273)",
+    "cves": [
+      {
+        "id": "CVE-2023-4273",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1861": {
+    "id": "openEuler-SA-2023-1861",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1861",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.(CVE-2023-39197)\r\n\r\nA null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.(CVE-2023-6176)",
+    "cves": [
+      {
+        "id": "CVE-2023-6176",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1282": {
+    "id": "openEuler-SA-2024-1282",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1282",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio: Fix use-after-free in uio_open\r\n\r\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev->dev)\nput_device(&idev->dev)\nuio_device_release\n\t\t\t\tget_device(&idev->dev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev->dev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\r\n\r\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev->dev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\r\n\r\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.(CVE-2023-52439)\r\n\r\nNULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\r\n\r\nThis issue affects Linux kernel: v2.6.12-rc2.\r\n\r\n(CVE-2024-22099)",
+    "cves": [
+      {
+        "id": "CVE-2024-22099",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1762": {
+    "id": "openEuler-SA-2023-1762",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1762",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nThis flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\r\n\r\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\r\n\r\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\r\n\r\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n(CVE-2023-38545)\r\n\r\nThis flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\r\n\r\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\r\n\r\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\r\n\r\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\r\n\r\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.\n(CVE-2023-38546)",
+    "cves": [
+      {
+        "id": "CVE-2023-38546",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38546",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1507": {
+    "id": "openEuler-SA-2022-1507",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1507",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nAll versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.(CVE-2021-43566)",
+    "cves": [
+      {
+        "id": "CVE-2021-43566",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43566",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1438": {
+    "id": "openEuler-SA-2023-1438",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1438",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.(CVE-2023-1295)\n\nA heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n(CVE-2023-3090)\n\nA use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.(CVE-2023-3117)\n\nAn issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.(CVE-2023-3220)\n\nA flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.(CVE-2023-3338)\n\nA null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.(CVE-2023-3358)",
+    "cves": [
+      {
+        "id": "CVE-2023-3358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1361": {
+    "id": "openEuler-SA-2021-1361",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1361",
+    "title": "An update for hivex is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Hivex is a library for extracting the contents of Windows Registry \"hive\" files.  It is designed to be secure against buggy or malicious registry files.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2021-3622)",
+    "cves": [
+      {
+        "id": "CVE-2021-3622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3622",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1011": {
+    "id": "openEuler-SA-2021-1011",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1011",
+    "title": "An update for golang is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nThe encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.(CVE-2020-29509)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-29509",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29509",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1342": {
+    "id": "openEuler-SA-2021-1342",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1342",
+    "title": "An update for jackson is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "JSON processor written in Java., it also offers full node-based Tree Model, as well as full Object/Json Mapper data binding functionality.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.(CVE-2019-10172)",
+    "cves": [
+      {
+        "id": "CVE-2019-10172",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10172",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1297": {
+    "id": "openEuler-SA-2021-1297",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1297",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nMutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response.(CVE-2020-14093)",
+    "cves": [
+      {
+        "id": "CVE-2020-14093",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14093",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1127": {
+    "id": "openEuler-SA-2021-1127",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1127",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.(CVE-2020-35655)\r\n\r\nPillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.(CVE-2021-27921)\r\n\r\nPillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.(CVE-2021-27922)\r\n\r\nPillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.(CVE-2021-27923)",
+    "cves": [
+      {
+        "id": "CVE-2021-27923",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27923",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1271": {
+    "id": "openEuler-SA-2021-1271",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1271",
+    "title": "An update for systemd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "systemd is a system and service manager that runs as PID 1 and starts the rest of the system.\r\n\r\nSecurity Fix(es):\r\n\r\nbasic/unit-name.c in systemd 220 through 248 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.(CVE-2021-33910)",
+    "cves": [
+      {
+        "id": "CVE-2021-33910",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33910",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1440": {
+    "id": "openEuler-SA-2021-1440",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1440",
+    "title": "An update for libzapojit is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GLib/GObject wrapper for the SkyDrive and Hotmail REST APIs.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.(CVE-2021-39360)",
+    "cves": [
+      {
+        "id": "CVE-2021-39360",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39360",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1247": {
+    "id": "openEuler-SA-2024-1247",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1247",
+    "title": "An update for atril is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
+    "cves": [
+      {
+        "id": "CVE-2023-52076",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1853": {
+    "id": "openEuler-SA-2022-1853",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1853",
+    "title": "An update for rsync is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Rsync is an open source utility that provides fast incremental file transfer. It uses the \"rsync algorithm\" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in the files across the link, without requiring that both sets of files are present at one of the ends of the link beforehand.\r\n\r\nSecurity Fix(es):\r\n\nzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434)",
+    "cves": [
+      {
+        "id": "CVE-2022-37434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1587": {
+    "id": "openEuler-SA-2023-1587",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1587",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-1206)\r\n\r\nA buffer overrun vulnerability was found in the netback driver in Xen due to an unusual split packet. This flaw allows an unprivileged guest to cause a denial of service (DoS) of the host by sending network packets to the backend, causing the backend to crash.(CVE-2023-34319)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.(CVE-2023-38432)\r\n\r\n(CVE-2023-3867)\r\n\r\nAn issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.(CVE-2023-40283)\r\n\r\nA flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.(CVE-2023-4194)",
+    "cves": [
+      {
+        "id": "CVE-2023-4194",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4194",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1200": {
+    "id": "openEuler-SA-2024-1200",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1200",
+    "title": "An update for libuv is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "libuv is a multi-platform support library with a focus on asynchronous I/O.  It was primarily developed for use by Node.js, but it’s also used by Luvit, Julia, pyuv, and others.\r\n\r\nSecurity Fix(es):\r\n\r\nlibuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24806)",
+    "cves": [
+      {
+        "id": "CVE-2024-24806",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24806",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1048": {
+    "id": "openEuler-SA-2023-1048",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1048",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nNetlogon RPC Elevation of Privilege Vulnerability.(CVE-2022-38023)",
+    "cves": [
+      {
+        "id": "CVE-2022-38023",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38023",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1683": {
+    "id": "openEuler-SA-2022-1683",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1683",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\n\nSecurity Fix(es):\n\nOn April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.(CVE-2022-20770)\n\nOn April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.(CVE-2022-20771)\n\nOn April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.(CVE-2022-20785)\n\nFixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.(CVE-2022-20792)",
+    "cves": [
+      {
+        "id": "CVE-2022-20792",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20792",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1491": {
+    "id": "openEuler-SA-2022-1491",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1491",
+    "title": "An update for lighttpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Secure, fast, compliant and very flexible web-server which has been optimized for high-performance environments. It has a very low memory footprint compared to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems.\r\n\r\nSecurity Fix(es):\r\n\r\nIn lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.(CVE-2022-22707)",
+    "cves": [
+      {
+        "id": "CVE-2022-22707",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22707",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1282": {
+    "id": "openEuler-SA-2021-1282",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1282",
+    "title": "An update for libgit2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language which supports C bindings.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.(CVE-2020-12278)\r\n\r\nAn issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.(CVE-2020-12279)",
+    "cves": [
+      {
+        "id": "CVE-2020-12279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1439": {
+    "id": "openEuler-SA-2021-1439",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1439",
+    "title": "An update for postgresql is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-32028)",
+    "cves": [
+      {
+        "id": "CVE-2021-32028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32028",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1376": {
+    "id": "openEuler-SA-2023-1376",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1376",
+    "title": "An update for libX11 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Core X11 protocol client library.\n\nSecurity Fix(es):\n\nA vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.(CVE-2023-3138)",
+    "cves": [
+      {
+        "id": "CVE-2023-3138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1755": {
+    "id": "openEuler-SA-2022-1755",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1755",
+    "title": "An update for nodejs-jsonpointer is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Simple JSON Addressing.\r\n\r\nSecurity Fix(es):\r\n\r\nThis affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.(CVE-2021-23807)",
+    "cves": [
+      {
+        "id": "CVE-2021-23807",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23807",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1771": {
+    "id": "openEuler-SA-2022-1771",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1771",
+    "title": "An update for mc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GNU Midnight Commander is a visual file manager, licensed under GNU General Public License and therefore qualifies as Free Software. It's a feature rich full-screen text mode application that allows you to copy, move and delete files and whole directory trees, search for files and run commands in the subshell. Internal viewer and editor are included.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.(CVE-2021-36370)",
+    "cves": [
+      {
+        "id": "CVE-2021-36370",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36370",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1764": {
+    "id": "openEuler-SA-2024-1764",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1764",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1166": {
+    "id": "openEuler-SA-2024-1166",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1166",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680)",
+    "cves": [
+      {
+        "id": "CVE-2024-24680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1535": {
+    "id": "openEuler-SA-2023-1535",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1535",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.(CVE-2023-4128)",
+    "cves": [
+      {
+        "id": "CVE-2023-4128",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4128",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1787": {
+    "id": "openEuler-SA-2022-1787",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1787",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.(CVE-2022-25255)",
+    "cves": [
+      {
+        "id": "CVE-2022-25255",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25255",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1847": {
+    "id": "openEuler-SA-2024-1847",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1847",
+    "title": "An update for mod_http2 is now available for openEuler-24.03-LTS",
+    "severity": "Low",
+    "description": "Mod_h[ttp]2 is an official Apache httpd module, first released in 2.4.17.  See Apache downloads to get a released version. mod_proxy_h[ttp]2 has been released in 2.4.23.\r\n\r\nSecurity Fix(es):\r\n\r\nServing WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.(CVE-2024-36387)",
+    "cves": [
+      {
+        "id": "CVE-2024-36387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36387",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1461": {
+    "id": "openEuler-SA-2023-1461",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1461",
+    "title": "An update for libtiff is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38288)\r\n\r\nMultiple potential integer overflow in tiffcp.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38289)",
+    "cves": [
+      {
+        "id": "CVE-2023-38289",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38289",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2020": {
+    "id": "openEuler-SA-2022-2020",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2020",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact(CVE-2022-3570)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.(CVE-2022-3597)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.(CVE-2022-3599)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.(CVE-2022-3598)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.(CVE-2022-3626)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.(CVE-2022-3627)",
+    "cves": [
+      {
+        "id": "CVE-2022-3627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3627",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1808": {
+    "id": "openEuler-SA-2024-1808",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1808",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nadts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.(CVE-2021-38171)\r\n\r\nAn issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.(CVE-2022-3109)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the set_encoder_id function in /fftools/ffmpeg_enc.c component.(CVE-2023-50010)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.(CVE-2023-51793)",
+    "cves": [
+      {
+        "id": "CVE-2023-51793",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51793",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1552": {
+    "id": "openEuler-SA-2023-1552",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1552",
+    "title": "An update for indent is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The indent program can be used to make code easier to read. It can also convert from one style of writing C to another. indent understands a substantial amount about the syntax of C, but it also attempts to cope with incomplete and misformed syntax.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file.(CVE-2023-40305)",
+    "cves": [
+      {
+        "id": "CVE-2023-40305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40305",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1702": {
+    "id": "openEuler-SA-2023-1702",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1702",
+    "title": "An update for dsoftbus is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in coap_send function in libcoap library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to obtain sensitive information via malformed pdu.(CVE-2023-30362)",
+    "cves": [
+      {
+        "id": "CVE-2023-30362",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30362",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1299": {
+    "id": "openEuler-SA-2023-1299",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1299",
+    "title": "An update for libtpms is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A library providing TPM functionality for VMs. Targeted for integration into Qemu.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.(CVE-2023-1018)\r\n\r\nAn out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.(CVE-2023-1017)",
+    "cves": [
+      {
+        "id": "CVE-2023-1017",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1017",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1830": {
+    "id": "openEuler-SA-2023-1830",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1830",
+    "title": "An update for mariadb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)\r\n\r\nMariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.(CVE-2022-32085)\r\n\r\nMariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.(CVE-2022-32087)\r\n\r\nMariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.(CVE-2022-32091)\r\n\r\nMariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.(CVE-2022-47015)",
+    "cves": [
+      {
+        "id": "CVE-2022-47015",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47015",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1776": {
+    "id": "openEuler-SA-2023-1776",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1776",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nDescription: Due to chunked decoder lenience Squid is vulnerable to\nRequest/Response smuggling attacks when parsing HTTP/1.1\nand ICAP messages\r\n\r\nReference: https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh\r\n\r\nAffected versions: 2.6-6.3. Patched in 6.4.(CVE-2023-46846)\r\n\r\nDescription: Due to a buffer overflow bug Squid is vulnerable to a Denial of\nService attack against HTTP Digest Authentication\r\n\r\nReference: https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g\r\n\r\nAffected versions: 3.2.0.1-5.9, 6.0-6.3(CVE-2023-46847)",
+    "cves": [
+      {
+        "id": "CVE-2023-46847",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46847",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2069": {
+    "id": "openEuler-SA-2022-2069",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2069",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThe vulnerability is a use-after-free that happens when an io_uring request\nis being processed on a registered file and the Unix GC runs and frees the\nio_uring fd and all the registered fds. The order at which the Unix GC\nprocesses the inflight fds may lead to registered fds be freed before the\nio_uring is released and has the chance to unregister and wait for such\nrequests to finish.\r\n\r\nReference:\nhttps://www.openwall.com/lists/oss-security/2022/10/18/4\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0091bfc81741b8d3aeb3b7ab8636f911b2de6e80(CVE-2022-2602)",
+    "cves": [
+      {
+        "id": "CVE-2022-2602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2602",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1126": {
+    "id": "openEuler-SA-2024-1126",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1126",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)",
+    "cves": [
+      {
+        "id": "CVE-2023-39325",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1036": {
+    "id": "openEuler-SA-2023-1036",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1036",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.(CVE-2022-2873)\r\n\r\nAn incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system.(CVE-2022-3903)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().(CVE-2022-3108)\r\n\r\nAn issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference.(CVE-2022-3114)\r\n\r\nA regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a(CVE-2022-2196)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.(CVE-2022-47942)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write.(CVE-2022-47940)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case.(CVE-2022-47943)",
+    "cves": [
+      {
+        "id": "CVE-2022-47943",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47943",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1727": {
+    "id": "openEuler-SA-2023-1727",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1727",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.(CVE-2020-36766)\r\n\r\nAn array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-42753)",
+    "cves": [
+      {
+        "id": "CVE-2023-42753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1226": {
+    "id": "openEuler-SA-2023-1226",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1226",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.(CVE-2023-28756)\r\n\r\nA ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.(CVE-2023-28755)",
+    "cves": [
+      {
+        "id": "CVE-2023-28755",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28755",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1070": {
+    "id": "openEuler-SA-2023-1070",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1070",
+    "title": "An update for tmux is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in function window_pane_set_event in window.c in tmux 3.0 thru 3.3 and later, allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47016)",
+    "cves": [
+      {
+        "id": "CVE-2022-47016",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47016",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1106": {
+    "id": "openEuler-SA-2023-1106",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1106",
+    "title": "An update for tar is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.(CVE-2022-48303)",
+    "cves": [
+      {
+        "id": "CVE-2022-48303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1181": {
+    "id": "openEuler-SA-2024-1181",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1181",
+    "title": "An update for containerd is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)",
+    "cves": [
+      {
+        "id": "CVE-2022-41723",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1782": {
+    "id": "openEuler-SA-2024-1782",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1782",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nA signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().(CVE-2024-6387)",
+    "cves": [
+      {
+        "id": "CVE-2024-6387",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6387",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1510": {
+    "id": "openEuler-SA-2024-1510",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1510",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330)\r\n\r\nA double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446)\r\n\r\nA heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of  `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2024-3447)",
+    "cves": [
+      {
+        "id": "CVE-2024-3447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1547": {
+    "id": "openEuler-SA-2023-1547",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1547",
+    "title": "An update for qt is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\n\nSecurity Fix(es):\n\nIn Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.(CVE-2023-32573)",
+    "cves": [
+      {
+        "id": "CVE-2023-32573",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1828": {
+    "id": "openEuler-SA-2023-1828",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1828",
+    "title": "An update for shadow is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This package includes the necessary programs for converting plain password files to the shadow password format and to manage user and group accounts\r\n\r\nSecurity Fix(es):\r\n\r\nshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees(CVE-2013-4235)",
+    "cves": [
+      {
+        "id": "CVE-2013-4235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1829": {
+    "id": "openEuler-SA-2024-1829",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1829",
+    "title": "An update for vte291 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
+    "cves": [
+      {
+        "id": "CVE-2024-37535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1963": {
+    "id": "openEuler-SA-2023-1963",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1963",
+    "title": "An update for jettison is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nAn infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\r\n\r\n(CVE-2023-1436)",
+    "cves": [
+      {
+        "id": "CVE-2023-1436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1458": {
+    "id": "openEuler-SA-2024-1458",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1458",
+    "title": "An update for libdwarf is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libdwarf is a library of functions to provide read/write DWARF debugging records.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002)",
+    "cves": [
+      {
+        "id": "CVE-2024-2002",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2002",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1174": {
+    "id": "openEuler-SA-2023-1174",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1174",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel(CVE-2023-20938)\r\n\r\nThere is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c(CVE-2023-0461)\r\n\r\nA flaw in the Linux Kernel found. Fail if no bound addresses can be used for a given scope. A type confusion can happen in inet_diag_msg_sctpasoc_fill() in net/sctp/diag.c, which uses a type confused pointer to return information to userspace when issuing a list_entry() on asoc->base.bind_addr.address_list.next when the list is empty.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=458e279f861d3f61796894cd158b780765a1569f\nhttps://www.openwall.com/lists/oss-security/2023/01/23/1(CVE-2023-1074)\r\n\r\nA flaw found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user.\nIt is known how to trigger this, which causes an OOB access, and a lock corruption.\r\n\r\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d(CVE-2023-1078)\r\n\r\nA flaw found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function.\nWhile it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability.\nThis would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a(CVE-2023-1076)\r\n\r\nA flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1118)\n\nIn the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.(CVE-2023-26545)",
+    "cves": [
+      {
+        "id": "CVE-2023-26545",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26545",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1607": {
+    "id": "openEuler-SA-2023-1607",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1607",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.(CVE-2023-28879)\r\n\r\nArtifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).(CVE-2023-36664)\r\n\r\nA buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559)",
+    "cves": [
+      {
+        "id": "CVE-2023-38559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38559",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1634": {
+    "id": "openEuler-SA-2022-1634",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1634",
+    "title": "An update for mysql5 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21270)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21303)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21304)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2022-21344)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Compiling). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2022-21367)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).(CVE-2021-35624)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-2356)\n\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2011)\n\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Client accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Client. CVSS 3.1 Base Score 4.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L).(CVE-2021-2010)\n\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2021-2007)",
+    "cves": [
+      {
+        "id": "CVE-2021-2007",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2007",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1221": {
+    "id": "openEuler-SA-2021-1221",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1221",
+    "title": "An update for redis is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `set-max-intset-entries` configuration parameter. This can be done using ACL to restrict unprivileged users from using the `CONFIG SET` command.(CVE-2021-29478)",
+    "cves": [
+      {
+        "id": "CVE-2021-29478",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29478",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1093": {
+    "id": "openEuler-SA-2023-1093",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1093",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.(CVE-2022-41717)",
+    "cves": [
+      {
+        "id": "CVE-2022-41717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1274": {
+    "id": "openEuler-SA-2023-1274",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1274",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.(CVE-2022-4382)\r\n\r\nThe Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\r\n\r\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.\r\n\r\n\n(CVE-2023-1998)\r\n\r\nThe specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2007)\r\n\r\nA null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.(CVE-2023-2166)\r\n\r\nA vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.(CVE-2023-2176)\r\n\r\nAn out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.(CVE-2023-2194)\r\n\r\nA denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.(CVE-2023-2269)\r\n\r\nA speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11(CVE-2023-0458)\r\n\r\nqfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.(CVE-2023-31436)\n\nA flaw was found in the Linux kernel s udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2008)",
+    "cves": [
+      {
+        "id": "CVE-2023-2008",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2008",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1430": {
+    "id": "openEuler-SA-2021-1430",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1430",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.(CVE-2021-21703)",
+    "cves": [
+      {
+        "id": "CVE-2021-21703",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21703",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1372": {
+    "id": "openEuler-SA-2023-1372",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1372",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\n\nSecurity Fix(es):\n\nDue to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark(CVE-2023-0667)",
+    "cves": [
+      {
+        "id": "CVE-2023-0667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0667",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1703": {
+    "id": "openEuler-SA-2024-1703",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1703",
+    "title": "An update for libldb is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "An extensible library that implements an LDAP like API to access remote LDAP servers, or use local tdb databases.\r\n\r\nSecurity Fix(es):\r\n\r\nMaxQueryDuration not honoured in Samba AD DC LDAP(CVE-2021-3670)",
+    "cves": [
+      {
+        "id": "CVE-2021-3670",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3670",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1565": {
+    "id": "openEuler-SA-2022-1565",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1565",
+    "title": "An update for ansible is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. %if 0 Provides:            ansible-python3 = - Obsoletes:           ansible-python3 < - BuildRequires:       python3-devel python3-setuptools BuildRequires:       python3-PyYAML python3-paramiko python3-crypto python3-packaging BuildRequires:       python3-pexpect python3-winrm BuildRequires:       git-core %if %with_docs BuildRequires:       python3-sphinx python3-sphinx-theme-alabaster asciidoc %endif BuildRequires:       python3-six python3-nose python3-pytest python3-pytest-xdist BuildRequires:       python3-pytest-mock python3-requests python3-coverage python3-mock BuildRequires:       python3-boto3 python3-botocore python3-passlib python3-jinja2 Requires:            python3-PyYAML python3-paramiko python3-crypto python3-setuptools python3-six Requires:            python3-jinja2 sshpass python3-jmespath %description Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. This package installs versions of ansible that execute on Python3. %endif\r\n\r\nSecurity Fix(es):\r\n\r\nAnsible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.(CVE-2019-3828)",
+    "cves": [
+      {
+        "id": "CVE-2019-3828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3828",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1426": {
+    "id": "openEuler-SA-2021-1426",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1426",
+    "title": "An update for SDL is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Simple DirectMedia Layer(SDL) is a cross-platform development library designed\\ to provide low level access to audio, keyboard, mouse, joystick, and graphics\\ hardware via OpenGL and Direct3D. It is used by video playback software, emulators,\\ and popular games including Valve's award winning catalog and many Humble Bundle games.\\\r\n\r\nSecurity Fix(es):\r\n\r\nSDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(CVE-2019-7572)\r\n\r\nSDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.(CVE-2019-7574)\r\n\r\nSDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.(CVE-2019-7575)",
+    "cves": [
+      {
+        "id": "CVE-2019-7575",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7575",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2008": {
+    "id": "openEuler-SA-2022-2008",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2008",
+    "title": "An update for libexif is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nIn libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774(CVE-2019-9278)\r\n\r\nIn exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132(CVE-2020-0093)\r\n\r\nIn exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076(CVE-2020-0181)\r\n\r\nIn exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941(CVE-2020-0198)",
+    "cves": [
+      {
+        "id": "CVE-2020-0198",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0198",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1630": {
+    "id": "openEuler-SA-2023-1630",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1630",
+    "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nA fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.(CVE-2023-20867)\r\n\r\nA malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-20900)",
+    "cves": [
+      {
+        "id": "CVE-2023-20900",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20900",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1685": {
+    "id": "openEuler-SA-2023-1685",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1685",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nThere exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. \n(CVE-2023-1999)",
+    "cves": [
+      {
+        "id": "CVE-2023-1999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1408": {
+    "id": "openEuler-SA-2021-1408",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1408",
+    "title": "An update for strongswan is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nThe gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur.(CVE-2021-41990)\r\n\r\nThe in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.(CVE-2021-41991)",
+    "cves": [
+      {
+        "id": "CVE-2021-41991",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41991",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1855": {
+    "id": "openEuler-SA-2022-1855",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1855",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.(CVE-2022-31779)",
+    "cves": [
+      {
+        "id": "CVE-2022-31779",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31779",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1313": {
+    "id": "openEuler-SA-2021-1313",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1313",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple.\r\n\r\nSecurity Fix(es):\r\n\r\nMissing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).(CVE-2021-3672)",
+    "cves": [
+      {
+        "id": "CVE-2021-3672",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3672",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1306": {
+    "id": "openEuler-SA-2021-1306",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1306",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nIn RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.(CVE-2021-31799)\r\n\r\nAn issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).(CVE-2021-31810)\r\n\r\nAn issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"(CVE-2021-32066)",
+    "cves": [
+      {
+        "id": "CVE-2021-32066",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32066",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1409": {
+    "id": "openEuler-SA-2021-1409",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1409",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nNode.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.(CVE-2021-22930)",
+    "cves": [
+      {
+        "id": "CVE-2021-22930",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22930",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1452": {
+    "id": "openEuler-SA-2021-1452",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1452",
+    "title": "An update for redis5 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.(CVE-2021-32626)\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32627)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32628)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32687)\r\n\r\nRedis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.(CVE-2021-32675)\r\n\r\nRedis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32762)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-41099)",
+    "cves": [
+      {
+        "id": "CVE-2021-41099",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41099",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1934": {
+    "id": "openEuler-SA-2022-1934",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1934",
+    "title": "An update for rubygem-bundler is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\n`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.(CVE-2021-43809)",
+    "cves": [
+      {
+        "id": "CVE-2021-43809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43809",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1389": {
+    "id": "openEuler-SA-2024-1389",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1389",
+    "title": "An update for nghttp2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The framing layer of HTTP/2 is implemented as a form of reusable C library. On top of that, we have implemented HTTP/2 client, server and proxy. We have also developed load test and benchmarking tool for HTTP/2.\r\n\r\nSecurity Fix(es):\r\n\r\nnghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync.  This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.(CVE-2024-28182)",
+    "cves": [
+      {
+        "id": "CVE-2024-28182",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1557": {
+    "id": "openEuler-SA-2024-1557",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1557",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.(CVE-2023-6478)\r\n\r\nA flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.(CVE-2023-6816)\r\n\r\nA flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.(CVE-2024-0408)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31080)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31081)",
+    "cves": [
+      {
+        "id": "CVE-2024-31081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1766": {
+    "id": "openEuler-SA-2022-1766",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1766",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.(CVE-2022-2210)\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 9.0.(CVE-2022-2257)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.(CVE-2022-2264)\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 9.0.(CVE-2022-2286)\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 9.0.(CVE-2022-2287)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.(CVE-2022-2289)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.(CVE-2022-2343)",
+    "cves": [
+      {
+        "id": "CVE-2022-2343",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2343",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1745": {
+    "id": "openEuler-SA-2023-1745",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1745",
+    "title": "An update for libcue is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libcue is intended for parsing a so-called cue sheet from a char string or a file pointer. For handling of the parsed data a convenient API is available.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.(CVE-2023-43641)",
+    "cves": [
+      {
+        "id": "CVE-2023-43641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43641",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1871": {
+    "id": "openEuler-SA-2023-1871",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1871",
+    "title": "An update for gdb is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.(CVE-2023-39130)",
+    "cves": [
+      {
+        "id": "CVE-2023-39130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1081": {
+    "id": "openEuler-SA-2023-1081",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1081",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.(CVE-2022-41717)",
+    "cves": [
+      {
+        "id": "CVE-2022-41717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1265": {
+    "id": "openEuler-SA-2021-1265",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1265",
+    "title": "An update for isula-build is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "isula-build is a tool used for container images building.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen using isula-build to build container images, some functions for processing external data do not remove spaces when processing data. This vulnerability can cause a program crash. The open-source software isula-build fuzzing test shows that when multiple spaces are added to the end of 'RUN' will cause a isula-builder panic, for example, `RUN echo \"hello\" <space><space>..`(CVE-2021-33629)",
+    "cves": [
+      {
+        "id": "CVE-2021-33629",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33629",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1885": {
+    "id": "openEuler-SA-2022-1885",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1885",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.(CVE-2021-20298)",
+    "cves": [
+      {
+        "id": "CVE-2021-20298",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20298",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1824": {
+    "id": "openEuler-SA-2022-1824",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1824",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nnfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.(CVE-2022-36946)\n\nA use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-1679)\n\nio_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859(CVE-2022-2327)\n\nAn integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-2639)",
+    "cves": [
+      {
+        "id": "CVE-2022-2639",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1711": {
+    "id": "openEuler-SA-2023-1711",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1711",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4573)\r\n\r\nWhen creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4574)\r\n\r\nWhen creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4575)\r\n\r\nExcel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4581)\r\n\r\nMemory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4584)\r\n\r\nHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863)",
+    "cves": [
+      {
+        "id": "CVE-2023-4863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1230": {
+    "id": "openEuler-SA-2021-1230",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1230",
+    "title": "An update for polkit is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.\n\nSecurity Fix(es):\n\nA flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3560)",
+    "cves": [
+      {
+        "id": "CVE-2021-3560",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3560",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2061": {
+    "id": "openEuler-SA-2022-2061",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2061",
+    "title": "An update for postgresql is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.(CVE-2021-23214)\r\n\r\nA man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.(CVE-2021-23222)",
+    "cves": [
+      {
+        "id": "CVE-2021-23222",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23222",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1485": {
+    "id": "openEuler-SA-2024-1485",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1485",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio_hv_generic: Fix another memory leak in error handling paths\r\n\r\nMemory allocated by 'vmbus_alloc_ring()' at the beginning of the probe\nfunction is never freed in the error handling path.\r\n\r\nAdd the missing 'vmbus_free_ring()' call.\r\n\r\nNote that it is already freed in the .remove function.(CVE-2021-47070)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nasix: fix uninit-value in asix_mdio_read()\r\n\r\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\r\n\r\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497(CVE-2021-47101)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nEDAC/thunderx: Fix possible out-of-bounds string access\r\n\r\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\r\n\r\n  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);\n        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n   ...\n   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\n   ...\n   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\r\n\r\n   ...\r\n\r\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\r\n\r\nChange it to strlcat().\r\n\r\n  [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: powermate - fix use-after-free in powermate_config_complete\r\n\r\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\r\n\r\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\r\n\r\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.(CVE-2023-52500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: assert requested protocol is valid\r\n\r\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\r\n\r\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\r\n\r\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Do not call scsi_done() from srp_abort()\r\n\r\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.(CVE-2023-52515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\r\n\r\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\r\n\r\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\r\n\r\nTrimmed-down lockdep splat:\r\n\r\n The existing dependency chain (in reverse order) is:\r\n\r\n               -> #2 (free_entries_lock){-.-.}-{2:2}:\n        _raw_spin_lock_irqsave+0x60/0x80\n        dma_entry_alloc+0x38/0x110\n        debug_dma_map_page+0x60/0xf8\n        dma_map_page_attrs+0x1e0/0x230\n        dma_map_single_attrs.constprop.0+0x6c/0xc8\n        geni_se_rx_dma_prep+0x40/0xcc\n        qcom_geni_serial_isr+0x310/0x510\n        __handle_irq_event_percpu+0x110/0x244\n        handle_irq_event_percpu+0x20/0x54\n        handle_irq_event+0x50/0x88\n        handle_fasteoi_irq+0xa4/0xcc\n        handle_irq_desc+0x28/0x40\n        generic_handle_domain_irq+0x24/0x30\n        gic_handle_irq+0xc4/0x148\n        do_interrupt_handler+0xa4/0xb0\n        el1_interrupt+0x34/0x64\n        el1h_64_irq_handler+0x18/0x24\n        el1h_64_irq+0x64/0x68\n        arch_local_irq_enable+0x4/0x8\n        ____do_softirq+0x18/0x24\n        ...\r\n\r\n               -> #1 (&port_lock_key){-.-.}-{2:2}:\n        _raw_spin_lock_irqsave+0x60/0x80\n        qcom_geni_serial_console_write+0x184/0x1dc\n        console_flush_all+0x344/0x454\n        console_unlock+0x94/0xf0\n        vprintk_emit+0x238/0x24c\n        vprintk_default+0x3c/0x48\n        vprintk+0xb4/0xbc\n        _printk+0x68/0x90\n        register_console+0x230/0x38c\n        uart_add_one_port+0x338/0x494\n        qcom_geni_serial_probe+0x390/0x424\n        platform_probe+0x70/0xc0\n        really_probe+0x148/0x280\n        __driver_probe_device+0xfc/0x114\n        driver_probe_device+0x44/0x100\n        __device_attach_driver+0x64/0xdc\n        bus_for_each_drv+0xb0/0xd8\n        __device_attach+0xe4/0x140\n        device_initial_probe+0x1c/0x28\n        bus_probe_device+0x44/0xb0\n        device_add+0x538/0x668\n        of_device_add+0x44/0x50\n        of_platform_device_create_pdata+0x94/0xc8\n        of_platform_bus_create+0x270/0x304\n        of_platform_populate+0xac/0xc4\n        devm_of_platform_populate+0x60/0xac\n        geni_se_probe+0x154/0x160\n        platform_probe+0x70/0xc0\n        ...\r\n\r\n               -> #0 (console_owner){-...}-{0:0}:\n        __lock_acquire+0xdf8/0x109c\n        lock_acquire+0x234/0x284\n        console_flush_all+0x330/0x454\n        console_unlock+0x94/0xf0\n        vprintk_emit+0x238/0x24c\n        vprintk_default+0x3c/0x48\n        vprintk+0xb4/0xbc\n        _printk+0x68/0x90\n        dma_entry_alloc+0xb4/0x110\n        debug_dma_map_sg+0xdc/0x2f8\n        __dma_map_sg_attrs+0xac/0xe4\n        dma_map_sgtable+0x30/0x4c\n        get_pages+0x1d4/0x1e4 [msm]\n        msm_gem_pin_pages_locked+0x38/0xac [msm]\n        msm_gem_pin_vma_locked+0x58/0x88 [msm]\n        msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n        drm_ioctl_kernel+0xe0/0x15c\n        drm_ioctl+0x2e8/0x3f4\n        vfs_ioctl+0x30/0x50\n        ...\r\n\r\n Chain exists of:\n   console_owner --> &port_lock_key --> free_entries_lock\r\n\r\n  Possible unsafe locking scenario:\r\n\r\n        CPU0                    CPU1\n        ----                    ----\n   lock(free_entries_lock);\n                                lock(&port_lock_key);\n                                lock(free_entries_lock);\n   lock(console_owner);\r\n\r\n                *** DEADLOCK ***\r\n\r\n Call trace:\n  dump_backtrace+0xb4/0xf0\n  show_stack+0x20/0x30\n  dump_stack_lvl+0x60/0x84\n  dump_stack+0x18/0x24\n  print_circular_bug+0x1cc/0x234\n  check_noncircular+0x78/0xac\n  __lock_acquire+0xdf8/0x109c\n  lock_acquire+0x234/0x284\n  console_flush_all+0x330/0x454\n  consol\n---truncated---(CVE-2023-52516)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix possible store tearing in neigh_periodic_work()\r\n\r\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\r\n\r\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\r\n\r\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().(CVE-2023-52522)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: fix potential key use-after-free\r\n\r\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().(CVE-2023-52530)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\r\n\r\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\r\n\r\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed.  And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\r\n\r\nSo use damon_destroy_target to free all the damon_regions and damon_target.\r\n\r\n    unreferenced object 0xffff888107c9a940 (size 64):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff  `...............\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079cc740 (size 56):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff888107c9ac40 (size 64):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff  ........x.v.....\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079ccc80 (size 56):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffff\n---truncated---(CVE-2023-52560)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\r\n\r\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\r\n\r\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.(CVE-2023-52561)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\r\n\r\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\r\n\r\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\r\n\r\n[konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rds: Fix possible NULL-pointer dereference\r\n\r\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52573)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: use DEV_STATS_INC()\r\n\r\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\r\n\r\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\r\n\r\nHandles updates to dev->stats.tx_dropped while we are at it.\r\n\r\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: fix deadlock or deadcode of misusing dget()\r\n\r\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\r\n\r\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.(CVE-2023-52583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/ipoib: Fix mcast list locking\r\n\r\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\r\n\r\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)\n          &priv->multicast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(&priv->lock) |\n                                       |   spin_lock_irqsave(&priv->lock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  &priv->multicast_list, list)\n                                       |     list_del(&mcast->list);\n                                       |     list_add_tail(&mcast->list, &remove_list)\n                                       |   spin_unlock_irqrestore(&priv->lock, flags)\n          spin_lock_irq(&priv->lock)   |\n                                       |   ipoib_mcast_remove_list(&remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv->multicast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it's stack.)\r\n\r\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\r\n\r\ncrash> bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (&priv->mcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           &mcast->list\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (&priv->lock)     &priv->multicast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- <NMI exception stack> ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\r\n\r\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\r\n\r\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\r\n\r\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\r\n\r\ncrash> b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---(CVE-2023-52587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\r\n\r\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\r\n\r\nFound by a modified version of syzkaller.\r\n\r\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt(CVE-2023-52594)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rt2x00: restart beacon queue when hardware reset\r\n\r\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().(CVE-2023-52595)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: fix setting of fpc register\r\n\r\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\r\n\r\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\r\n\r\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\r\n\r\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.(CVE-2023-52597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ptrace: handle setting of fpc register correctly\r\n\r\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\r\n\r\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\r\n\r\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().(CVE-2023-52598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid online resizing failures due to oversized flex bg\r\n\r\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\r\n\r\n     mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n     mount $dev $dir\n     resize2fs $dev 16G\r\n\r\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n <TASK>\n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\r\n\r\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\r\n\r\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\r\n\r\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.(CVE-2023-52622)",
+    "cves": [
+      {
+        "id": "CVE-2023-52622",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1859": {
+    "id": "openEuler-SA-2024-1859",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1859",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81.(CVE-2020-15675)\r\n\r\nUsing the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23954)\r\n\r\nIf an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45406)",
+    "cves": [
+      {
+        "id": "CVE-2022-45406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45406",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1733": {
+    "id": "openEuler-SA-2023-1733",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1733",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in ImageMagick <=7.1.1, where heap use-after-free was found in coders/bmp.c.\r\n\r\nReferences:\nhttps://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1(CVE-2023-5341)",
+    "cves": [
+      {
+        "id": "CVE-2023-5341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1684": {
+    "id": "openEuler-SA-2024-1684",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1684",
+    "title": "An update for openjdk-17 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and  22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2024-20932)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21012)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21068)",
+    "cves": [
+      {
+        "id": "CVE-2024-21068",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21068",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1681": {
+    "id": "openEuler-SA-2022-1681",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1681",
+    "title": "An update for mariadb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon (mariadbd) and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and utilities.\n\nSecurity Fix(es):\n\nAn issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.(CVE-2022-27379)\n\nMariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.(CVE-2022-27386)\n\nMariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.(CVE-2022-27387)\n\nAn issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.(CVE-2022-27384)\n\nAn issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.(CVE-2022-27380)\n\nMariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.(CVE-2022-27383)\n\nAn issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.(CVE-2022-27381)\n\nMariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements.(CVE-2022-27377)\n\nAn issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.(CVE-2022-27378)\n\nMariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.(CVE-2022-27376)\n\nMariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.(CVE-2022-27452)\n\nMariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.(CVE-2022-27458)\n\nMariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.(CVE-2022-27456)\n\nMariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.(CVE-2022-27445)\n\nMariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.(CVE-2022-27449)\n\nThere is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON' at /row/row0mysql.cc.(CVE-2022-27448)\n\nMariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.(CVE-2022-27447)\n\nAn issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.(CVE-2022-27385)\n\nMariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order.(CVE-2022-27382)\n\nMariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/field_conv.cc.(CVE-2022-27451)\n\nMariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.(CVE-2022-27457)\n\nMariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.(CVE-2022-27446)\n\nMariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_subselect.cc.(CVE-2022-27444)\n\nMariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.(CVE-2022-27455)",
+    "cves": [
+      {
+        "id": "CVE-2022-27455",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27455",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1912": {
+    "id": "openEuler-SA-2023-1912",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1912",
+    "title": "An update for erlang is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.(CVE-2022-37026)",
+    "cves": [
+      {
+        "id": "CVE-2022-37026",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37026",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1775": {
+    "id": "openEuler-SA-2022-1775",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1775",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.(CVE-2021-20300)\r\n\r\nA flaw was found in OpenEXR's TiledInputFile functionality. This flaw allows an attacker who can submit a crafted single-part non-image to be processed by OpenEXR, to trigger a floating-point exception error. The highest threat from this vulnerability is to system availability.(CVE-2021-20302)\r\n\r\nAn integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.(CVE-2021-3933)",
+    "cves": [
+      {
+        "id": "CVE-2021-3933",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3933",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1589": {
+    "id": "openEuler-SA-2024-1589",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1589",
+    "title": "An update for engrampa is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "Mate File Archiver is an application for creating and viewing archives files, such as zip, xv, bzip2, cab, rar and other compress formats.\r\n\r\nSecurity Fix(es):\r\n\r\nEngrampa is an archive manager for the MATE environment. Engrampa is found to be vulnerable to a Path Traversal vulnerability that can be leveraged to achieve full Remote Command Execution (RCE) on the target. While handling CPIO archives, the Engrampa Archive manager follows symlink, cpio by default will follow stored symlinks while extracting and the Archiver will not check the symlink location, which leads to arbitrary file writes to unintended locations. When the victim extracts the archive, the attacker can craft a malicious cpio or ISO archive to achieve RCE on the target system. This vulnerability was fixed in commit 63d5dfa.\n(CVE-2023-52138)",
+    "cves": [
+      {
+        "id": "CVE-2023-52138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52138",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1850": {
+    "id": "openEuler-SA-2022-1850",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1850",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow was addressed with improved bounds checking. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. In certain configurations, a remote attacker may be able to submit arbitrary print jobs.(CVE-2019-8842)",
+    "cves": [
+      {
+        "id": "CVE-2019-8842",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8842",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1463": {
+    "id": "openEuler-SA-2023-1463",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1463",
+    "title": "An update for libtiff is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38288)\r\n\r\nMultiple potential integer overflow in tiffcp.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38289)",
+    "cves": [
+      {
+        "id": "CVE-2023-38289",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38289",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1098": {
+    "id": "openEuler-SA-2021-1098",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1098",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNU Binutils are a collection of binary tools. The main ones are: ld - the GNU linker. as - the GNU assembler. addr2line - Converts addresses into filenames and line numbers. ar - A utility for creating, modifying and extracting from archives. c++filt - Filter to demangle encoded C++ symbols. dlltool - Creates files for building and using DLLs. gold - A new, faster, ELF only linker, still in beta test. gprof - Displays profiling information. nlmconv - Converts object code into an NLM. nm - Lists symbols from object files. objcopy - Copies and translates object files. objdump - Displays information from object files. ranlib - Generates an index to the contents of an archive. readelf - Displays information from any ELF format object file. size - Lists the section sizes of an object or archive file. strings - Lists printable strings from files. trip - Discards symbols. windmc - A Windows compatible message compiler. windres - A compiler for Windows resource files.\r\n\r\nSecurity Fix(es):\r\n\r\nLoad value injection in some Intel(R) Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. The list of affected products is provided in intel-sa-00334: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html(CVE-2020-0551)\n\nA use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file.(CVE-2020-16592)",
+    "cves": [
+      {
+        "id": "CVE-2020-16592",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16592",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1032": {
+    "id": "openEuler-SA-2024-1032",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1032",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nopeneuler-linux-kernel-5.10.149-ext4_write_inline_data-kernel_bug-365020(CVE-2021-33631)\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\r\n\r\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.\r\n\r\n(CVE-2023-6817)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\r\n\r\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\r\n\r\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\r\n\r\n(CVE-2023-6931)\r\n\r\nA use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\r\n\r\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\r\n\r\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.\r\n\r\n(CVE-2023-6932)",
+    "cves": [
+      {
+        "id": "CVE-2023-6932",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1491": {
+    "id": "openEuler-SA-2024-1491",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1491",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330)\r\n\r\nQEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.(CVE-2024-24474)\r\n\r\nA double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446)\r\n\r\nA heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of  `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2024-3447)",
+    "cves": [
+      {
+        "id": "CVE-2024-3447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2053": {
+    "id": "openEuler-SA-2022-2053",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2053",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.(CVE-2021-34432)",
+    "cves": [
+      {
+        "id": "CVE-2021-34432",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34432",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1106": {
+    "id": "openEuler-SA-2021-1106",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1106",
+    "title": "An update for glib2 is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.(CVE-2021-27218)\r\n\r\nAn issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.(CVE-2021-27219)\n\n** DISPUTED ** GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is \"Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries().\" The researcher states that this pattern is undocumented.(CVE-2020-35457)",
+    "cves": [
+      {
+        "id": "CVE-2020-35457",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35457",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1983": {
+    "id": "openEuler-SA-2022-1983",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1983",
+    "title": "An update for bind is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nBy sending specific queries to the resolver, an attacker can cause named to crash.(CVE-2022-3080)\r\n\r\nBy spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38177)\r\n\r\nBy spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38178)\r\n\r\nBy flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.(CVE-2022-2795)\r\n\r\nThe underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.(CVE-2022-2881)\r\n\r\nAn attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.(CVE-2022-2906)",
+    "cves": [
+      {
+        "id": "CVE-2022-2906",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2906",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2012": {
+    "id": "openEuler-SA-2022-2012",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2012",
+    "title": "An update for protobuf is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.(CVE-2022-1941)\r\n\r\nA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171)",
+    "cves": [
+      {
+        "id": "CVE-2022-3171",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1290": {
+    "id": "openEuler-SA-2023-1290",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1290",
+    "title": "An update for cloud-init is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Cloud-init is the defacto multi-distribution package that handles early initialization of a cloud instance.\r\n\r\nSecurity Fix(es):\r\n\r\nSensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.(CVE-2022-2084)",
+    "cves": [
+      {
+        "id": "CVE-2022-2084",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2084",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2079": {
+    "id": "openEuler-SA-2022-2079",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2079",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nSudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.(CVE-2022-43995)",
+    "cves": [
+      {
+        "id": "CVE-2022-43995",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43995",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1332": {
+    "id": "openEuler-SA-2023-1332",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1332",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157)",
+    "cves": [
+      {
+        "id": "CVE-2023-2157",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1942": {
+    "id": "openEuler-SA-2023-1942",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1942",
+    "title": "An update for erlang is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.(CVE-2022-37026)",
+    "cves": [
+      {
+        "id": "CVE-2022-37026",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37026",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1696": {
+    "id": "openEuler-SA-2023-1696",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1696",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).(CVE-2023-43115)",
+    "cves": [
+      {
+        "id": "CVE-2023-43115",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43115",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1029": {
+    "id": "openEuler-SA-2021-1029",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1029",
+    "title": "An update for libtomcrypt is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines. \\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nIn LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.(CVE-2019-17362)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-17362",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17362",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1816": {
+    "id": "openEuler-SA-2024-1816",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1816",
+    "title": "An update for emacs is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "Emacs is the extensible, customizable, self-documenting real-time display editor. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing. And it is an entire ecosystem of functionality beyond text editing, including a project planner, mail and news reader, debugger interface, calendar, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.(CVE-2024-39331)",
+    "cves": [
+      {
+        "id": "CVE-2024-39331",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39331",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1278": {
+    "id": "openEuler-SA-2023-1278",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1278",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nUse of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.(CVE-2023-2426)",
+    "cves": [
+      {
+        "id": "CVE-2023-2426",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2426",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1953": {
+    "id": "openEuler-SA-2022-1953",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1953",
+    "title": "An update for ntp is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "NTP is a protocol designed to synchronize the clocks of computers over a network, NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF.\r\n\r\nSecurity Fix(es):\r\n\r\nntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.(CVE-2020-15025)",
+    "cves": [
+      {
+        "id": "CVE-2020-15025",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15025",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1382": {
+    "id": "openEuler-SA-2024-1382",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1382",
+    "title": "An update for cri-tools is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "CLI and validation tools for Container Runtime Interface\r\n\r\nSecurity Fix(es):\r\n\r\nA maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)\r\n\r\nA malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325)\r\n\r\nThe protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.(CVE-2024-24786)",
+    "cves": [
+      {
+        "id": "CVE-2024-24786",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1929": {
+    "id": "openEuler-SA-2023-1929",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1929",
+    "title": "An update for xstream is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.\r\n\r\nSecurity Fix(es):\r\n\r\nThose using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40151)\r\n\r\nXStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.(CVE-2022-41966)",
+    "cves": [
+      {
+        "id": "CVE-2022-41966",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1016": {
+    "id": "openEuler-SA-2024-1016",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1016",
+    "title": "An update for ghostscript is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.(CVE-2023-46751)",
+    "cves": [
+      {
+        "id": "CVE-2023-46751",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46751",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2036": {
+    "id": "openEuler-SA-2022-2036",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2036",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ndrivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.(CVE-2022-40768)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.(CVE-2022-3621)\r\n\r\nA vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.(CVE-2022-3635)\r\n\r\ndrivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.(CVE-2022-43750)\n\nA vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.(CVE-2022-3629)\n\nA vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.(CVE-2022-3646)\n\nA flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.(CVE-2022-3586)",
+    "cves": [
+      {
+        "id": "CVE-2022-3586",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1180": {
+    "id": "openEuler-SA-2023-1180",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1180",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw in the Linux Kernel found. Fail if no bound addresses can be used for a given scope. A type confusion can happen in inet_diag_msg_sctpasoc_fill() in net/sctp/diag.c, which uses a type confused pointer to return information to userspace when issuing a list_entry() on asoc->base.bind_addr.address_list.next when the list is empty.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=458e279f861d3f61796894cd158b780765a1569f\nhttps://www.openwall.com/lists/oss-security/2023/01/23/1(CVE-2023-1074)\r\n\r\nA flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device.\nSimilarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.\r\n\r\nReference:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4ab3a086d10eeec1424f2e8a968827a6336203df(CVE-2023-1079)\r\n\r\nA flaw found in the Linux Kernel. The missing check causes a type confusion when issuing a list_entry()\non an empty report_list. The problem is caused by the assumption that the device must have valid report_list. While this will be true for all normal HID devices, a suitably malicious device can violate the assumption.\r\n\r\nReferences:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456\nhttps://www.openwall.com/lists/oss-security/2023/01/17/3(CVE-2023-1073)\r\n\r\n\nKernel: denial of service in tipc_conn_close(CVE-2023-1382)",
+    "cves": [
+      {
+        "id": "CVE-2023-1382",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1382",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1946": {
+    "id": "openEuler-SA-2023-1946",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1946",
+    "title": "An update for logback is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Logback is intended as a successor to the popular log4j project.\r\n\r\nSecurity Fix(es):\r\n\r\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\r\n\r\n(CVE-2023-6378)\r\n\r\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\r\n\r\n(CVE-2023-6481)",
+    "cves": [
+      {
+        "id": "CVE-2023-6481",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1939": {
+    "id": "openEuler-SA-2022-1939",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1939",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nIn net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.(CVE-2022-27664)",
+    "cves": [
+      {
+        "id": "CVE-2022-27664",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1841": {
+    "id": "openEuler-SA-2024-1841",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1841",
+    "title": "An update for exiv2 is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file. The bug is fixed in version v0.28.3.(CVE-2024-39695)",
+    "cves": [
+      {
+        "id": "CVE-2024-39695",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39695",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1460": {
+    "id": "openEuler-SA-2021-1460",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1460",
+    "title": "An update for gmp is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "A GNU multiple precision arithmetic library.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.(CVE-2021-43618)",
+    "cves": [
+      {
+        "id": "CVE-2021-43618",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43618",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1539": {
+    "id": "openEuler-SA-2023-1539",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1539",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel.(CVE-2023-2860)\n\nA use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.(CVE-2023-4128)",
+    "cves": [
+      {
+        "id": "CVE-2023-4128",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4128",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1745": {
+    "id": "openEuler-SA-2022-1745",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1745",
+    "title": "An update for libjpeg-turbo is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThe PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.(CVE-2021-46822)",
+    "cves": [
+      {
+        "id": "CVE-2021-46822",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46822",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1880": {
+    "id": "openEuler-SA-2022-1880",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1880",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.(CVE-2022-1729)\n\nA use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.(CVE-2022-2586)\n\nDm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5(CVE-2022-2503)\n\nAn out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.(CVE-2022-1462)",
+    "cves": [
+      {
+        "id": "CVE-2022-1462",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1462",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1687": {
+    "id": "openEuler-SA-2023-1687",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1687",
+    "title": "An update for shadow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "This package includes the necessary programs for converting plain password files to the shadow password format and to manage user and group accounts.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen gpasswd(1) asks for the new password, it asks twice (as is usual for confirming the new password).  Each of those 2 password prompts uses agetpass() to get the password.  If the second agetpass() fails, the first password, which has been copied into the 'static' buffer 'pass' via STRFCPY(), wasn't being zeroed.(CVE-2023-4641)",
+    "cves": [
+      {
+        "id": "CVE-2023-4641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4641",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1908": {
+    "id": "openEuler-SA-2023-1908",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1908",
+    "title": "An update for python-twisted is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\ntwisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.(CVE-2022-21712)\r\n\r\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.(CVE-2022-21716)\r\n\r\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.(CVE-2022-24801)\r\n\r\nTwisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.(CVE-2022-39348)",
+    "cves": [
+      {
+        "id": "CVE-2022-39348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39348",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2002": {
+    "id": "openEuler-SA-2022-2002",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2002",
+    "title": "An update for crash is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The core analysis suite is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from dump creation facilities such as kdump, kvmdump, xendump, the netdump and diskdump packages offered by Red Hat, the LKCD kernel patch, the mcore kernel patch created by Mission Critical Linux, as well as other formats created by manufacturer-specific firmware.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.(CVE-2019-1010180)",
+    "cves": [
+      {
+        "id": "CVE-2019-1010180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010180",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1425": {
+    "id": "openEuler-SA-2024-1425",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1425",
+    "title": "An update for flatpak is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)",
+    "cves": [
+      {
+        "id": "CVE-2023-28101",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28101",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1508": {
+    "id": "openEuler-SA-2023-1508",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1508",
+    "title": "An update for yasm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\r\n\r\nSecurity Fix(es):\r\n\r\nYasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.(CVE-2023-37732)",
+    "cves": [
+      {
+        "id": "CVE-2023-37732",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37732",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1574": {
+    "id": "openEuler-SA-2023-1574",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1574",
+    "title": "An update for file is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The program checks to see if the file is empty,or if its some sort of special file.\r\n\r\nSecurity Fix(es):\r\n\r\nFile before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.(CVE-2022-48554)",
+    "cves": [
+      {
+        "id": "CVE-2022-48554",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48554",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1582": {
+    "id": "openEuler-SA-2024-1582",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1582",
+    "title": "An update for skopeo is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406)",
+    "cves": [
+      {
+        "id": "CVE-2023-29406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1532": {
+    "id": "openEuler-SA-2023-1532",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1532",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\n\nSecurity Fix(es):\n\nExtremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.(CVE-2023-29409)",
+    "cves": [
+      {
+        "id": "CVE-2023-29409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1289": {
+    "id": "openEuler-SA-2021-1289",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1289",
+    "title": "An update for rubygem-yard is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.\r\n\r\nSecurity Fix(es):\r\n\r\nyard before 0.9.20 allows path traversal.(CVE-2019-1020001)",
+    "cves": [
+      {
+        "id": "CVE-2019-1020001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020001",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1076": {
+    "id": "openEuler-SA-2021-1076",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1076",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.  Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) dissector could enter an infinite loop. This was addressed in epan/dissectors/packet-fbzero.c by correcting the implementation of offset advancement.(CVE-2020-26575)",
+    "cves": [
+      {
+        "id": "CVE-2020-26575",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26575",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1005": {
+    "id": "openEuler-SA-2021-1005",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1005",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\n\r\nSecurity Fix(es):\n\r\nMutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.(CVE-2020-28896)",
+    "cves": [
+      {
+        "id": "CVE-2020-28896",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28896",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1120": {
+    "id": "openEuler-SA-2021-1120",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1120",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).(CVE-2020-14145)",
+    "cves": [
+      {
+        "id": "CVE-2020-14145",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14145",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1418": {
+    "id": "openEuler-SA-2023-1418",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1418",
+    "title": "An update for pki-core is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Dogtag PKI is a designed  enterprise software system manage enterprise Public Key Infrastructure deployments.\r\n\r\nSecurity Fix(es):\r\n\r\nAccess to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.(CVE-2022-2414)",
+    "cves": [
+      {
+        "id": "CVE-2022-2414",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2414",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1054": {
+    "id": "openEuler-SA-2021-1054",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1054",
+    "title": "An update for unbound is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most platforms such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows. Unbound is a totally free, open source software under the BSD license. It doesn't make custom builds or provide specific features to paying customers only.\r\n\r\nSecurity Fix(es):\r\n\r\nNLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.(CVE-2020-28935)\n\nUnbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.(CVE-2019-18934)",
+    "cves": [
+      {
+        "id": "CVE-2019-18934",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18934",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2123": {
+    "id": "openEuler-SA-2022-2123",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2123",
+    "title": "An update for libarchive is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "is an open-source BSD-licensed C programming library that  provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution  also includes bsdtar and bsdcpio, full-featured implementations of  tar and cpio that use .\r\n\r\nSecurity Fix(es):\r\n\r\nIn libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"(CVE-2022-36227)",
+    "cves": [
+      {
+        "id": "CVE-2022-36227",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36227",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1010": {
+    "id": "openEuler-SA-2024-1010",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1010",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)",
+    "cves": [
+      {
+        "id": "CVE-2023-6610",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1499": {
+    "id": "openEuler-SA-2024-1499",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1499",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix out of bounds in init_smb2_rsp_hdr()\r\n\r\nIf client send smb2 negotiate request and then send smb1 negotiate\nrequest, init_smb2_rsp_hdr is called for smb1 negotiate request since\nneed_neg is set to false. This patch ignore smb1 packets after ->need_neg\nis set to false.(CVE-2023-52441)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\r\n\r\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\r\n\r\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\r\n\r\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.(CVE-2023-52486)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run\r\n\r\nIn mtk_jpeg_probe, &jpeg->job_timeout_work is bound with\nmtk_jpeg_job_timeout_work.\r\n\r\nIn mtk_jpeg_dec_device_run, if error happens in\nmtk_jpeg_set_dec_dst, it will finally start the worker while\nmark the job as finished by invoking v4l2_m2m_job_finish.\r\n\r\nThere are two methods to trigger the bug. If we remove the\nmodule, it which will call mtk_jpeg_remove to make cleanup.\nThe possible sequence is as follows, which will cause a\nuse-after-free bug.\r\n\r\nCPU0                  CPU1\nmtk_jpeg_dec_...    |\n  start worker\t    |\n                    |mtk_jpeg_job_timeout_work\nmtk_jpeg_remove     |\n  v4l2_m2m_release  |\n    kfree(m2m_dev); |\n                    |\n                    | v4l2_m2m_get_curr_priv\n                    |   m2m_dev->curr_ctx //use\r\n\r\nIf we close the file descriptor, which will call mtk_jpeg_release,\nit will have a similar sequence.\r\n\r\nFix this bug by starting timeout worker only if started jpegdec worker\nsuccessfully. Then v4l2_m2m_job_finish will only be called in\neither mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.(CVE-2023-52491)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fix NULL pointer in channel unregistration function\r\n\r\n__dma_async_device_channel_register() can fail. In case of failure,\nchan->local is freed (with free_percpu()), and chan->local is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[    1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[    1.484499] Call trace:\n[    1.486930]  device_del+0x40/0x394\n[    1.490314]  device_unregister+0x20/0x7c\n[    1.494220]  __dma_async_device_channel_unregister+0x68/0xc0\r\n\r\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan->local is not NULL.\r\n\r\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.(CVE-2023-52492)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Drop chan lock before queuing buffers\r\n\r\nEnsure read and write locks for the channel are not taken in succession by\ndropping the read lock from parse_xfer_event() such that a callback given\nto client can potentially queue buffers and acquire the write lock in that\nprocess. Any queueing of buffers should be done without channel read lock\nacquired as it can result in multiple locks and a soft lockup.\r\n\r\n[mani: added fixes tag and cc'ed stable](CVE-2023-52493)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbus: mhi: host: Add alignment check for event ring read pointer\r\n\r\nThough we do check the event ring read pointer by \"is_valid_ring_ptr\"\nto make sure it is in the buffer range, but there is another risk the\npointer may be not aligned.  Since we are expecting event ring elements\nare 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer\ncould lead to multiple issues like DoS or ring buffer memory corruption.\r\n\r\nSo add a alignment check for event ring read pointer.(CVE-2023-52494)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM: sleep: Fix possible deadlocks in core system-wide PM code\r\n\r\nIt is reported that in low-memory situations the system-wide resume core\ncode deadlocks, because async_schedule_dev() executes its argument\nfunction synchronously if it cannot allocate memory (and not only in\nthat case) and that function attempts to acquire a mutex that is already\nheld.  Executing the argument function synchronously from within\ndpm_async_fn() may also be problematic for ordering reasons (it may\ncause a consumer device's resume callback to be invoked before a\nrequisite supplier device's one, for example).\r\n\r\nAddress this by changing the code in question to use\nasync_schedule_dev_nocall() for scheduling the asynchronous\nexecution of device suspend and resume functions and to directly\nrun them synchronously if async_schedule_dev_nocall() returns false.(CVE-2023-52498)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntee: amdtee: fix use-after-free vulnerability in amdtee_close_session\r\n\r\nThere is a potential race condition in amdtee_close_session that may\ncause use-after-free in amdtee_open_session. For instance, if a session\nhas refcount == 1, and one thread tries to free this session via:\r\n\r\n    kref_put(&sess->refcount, destroy_session);\r\n\r\nthe reference count will get decremented, and the next step would be to\ncall destroy_session(). However, if in another thread,\namdtee_open_session() is called before destroy_session() has completed\nexecution, alloc_session() may return 'sess' that will be freed up\nlater in destroy_session() leading to use-after-free in\namdtee_open_session.\r\n\r\nTo fix this issue, treat decrement of sess->refcount and removal of\n'sess' from session list in destroy_session() as a critical section, so\nthat it is executed atomically.(CVE-2023-52503)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/alternatives: Disable KASAN in apply_alternatives()\r\n\r\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\r\n\r\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\r\n\r\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\r\n\r\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\r\n\r\nFix it for real by disabling KASAN while the kernel is patching alternatives.\r\n\r\n[ mingo: updated the changelog ](CVE-2023-52504)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: llcp: Add lock when modifying device list\r\n\r\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.(CVE-2023-52524)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nteam: fix null-ptr-deref when team device type is changed\r\n\r\nGet a null-ptr-deref bug as follows with reproducer [1].\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n <TASK>\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\r\n\r\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\r\n\r\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\r\n\r\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.(CVE-2023-52574)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2023-52607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\r\n\r\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\r\n\r\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\r\n\r\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\r\n\r\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\r\n\r\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\r\n\r\nAdd a consistency check to validate such condition in the A2P ISR.(CVE-2023-52608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\r\n\r\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\r\n\r\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\r\n\r\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\r\n\r\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com(CVE-2023-52617)\r\n\r\nA null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.(CVE-2023-7042)\r\n\r\nA race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24861)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix global oob in ksmbd_nl_policy\r\n\r\nSimilar to a reported issue (check the commit b33fb5b801c6 (\"net:\nqualcomm: rmnet: fix global oob in rmnet_policy\"), my local fuzzer finds\nanother global out-of-bounds read for policy ksmbd_nl_policy. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810\r\n\r\nCPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n __nlmsg_parse include/net/netlink.h:748 [inline]\n genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565\n genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdd66a8f359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003\nRBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n ksmbd_nl_policy+0x100/0xa80\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9\n                   ^\n ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05\n ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9\n==================================================================\r\n\r\nTo fix it, add a placeholder named __KSMBD_EVENT_MAX and let\nKSMBD_EVENT_MAX to be its original value - 1 according to what other\nnetlink families do. Also change two sites that refer the\nKSMBD_EVENT_MAX to correct value.(CVE-2024-26608)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\r\n\r\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\r\n\r\n- run nginx/wrk test:\n  smc_run nginx\n  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>\r\n\r\n- continuously dump SMC-D connections in parallel:\n  watch -n 1 'smcss -D'\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE      6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n  <TASK>\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x66/0x150\n  ? exc_page_fault+0x69/0x140\n  ? asm_exc_page_fault+0x26/0x30\n  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n  ? __kmalloc_node_track_caller+0x35d/0x430\n  ? __alloc_skb+0x77/0x170\n  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n  smc_diag_dump+0x26/0x60 [smc_diag]\n  netlink_dump+0x19f/0x320\n  __netlink_dump_start+0x1dc/0x300\n  smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n  sock_diag_rcv_msg+0x121/0x140\n  ? __pfx_sock_diag_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x5a/0x110\n  sock_diag_rcv+0x28/0x40\n  netlink_unicast+0x22a/0x330\n  netlink_sendmsg+0x1f8/0x420\n  __sock_sendmsg+0xb0/0xc0\n  ____sys_sendmsg+0x24e/0x300\n  ? copy_msghdr_from_user+0x62/0x80\n  ___sys_sendmsg+0x7c/0xd0\n  ? __do_fault+0x34/0x160\n  ? do_read_fault+0x5f/0x100\n  ? do_fault+0xb0/0x110\n  ? __handle_mm_fault+0x2b0/0x6c0\n  __sys_sendmsg+0x4d/0x80\n  do_syscall_64+0x69/0x180\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.(CVE-2024-26615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\r\n\r\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\r\n\r\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\r\n\r\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard->channel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard->channel-> //USE\r\n\r\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.(CVE-2024-26654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: fix use-after-free bug\r\n\r\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.\nFor example the following code:\r\n\r\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\r\n\r\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\r\n\r\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into  amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\r\n\r\n[  +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[  +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[  +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[  +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[  +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[  +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[  +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[  +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[  +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[  +0.000011] FS:  00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[  +0.000012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[  +0.000010] Call Trace:\n[  +0.000006]  <TASK>\n[  +0.000007]  ? show_regs+0x6a/0x80\n[  +0.000018]  ? __warn+0xa5/0x1b0\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000018]  ? report_bug+0x24a/0x290\n[  +0.000022]  ? handle_bug+0x46/0x90\n[  +0.000015]  ? exc_invalid_op+0x19/0x50\n[  +0.000016]  ? asm_exc_invalid_op+0x1b/0x20\n[  +0.000017]  ? kasan_save_stack+0x26/0x50\n[  +0.000017]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340\n[  +0.000019]  ? mmu_interval_notifier_remove+0x23b/0x340\n[  +0.000020]  ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[  +0.000017]  ? kasan_save_alloc_info+0x1e/0x30\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __kasan_kmalloc+0xb1/0xc0\n[  +0.000018]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? __kasan_check_read+0x11/0x20\n[  +0.000020]  amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[  +0.004695]  amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[  +0.004534]  ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[  +0.004291]  ? do_syscall_64+0x5f/0xe0\n[  +0.000023]  ? srso_return_thunk+0x5/0x5f\n[  +0.000017]  drm_gem_object_free+0x3b/0x50 [drm]\n[  +0.000489]  amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[  +0.004295]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004270]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? __this_cpu_preempt_check+0x13/0x20\n[  +0.000015]  ? srso_return_thunk+0x5/0x5f\n[  +0.000013]  ? sysvec_apic_timer_interrupt+0x57/0xc0\n[  +0.000020]  ? srso_return_thunk+0x5/0x5f\n[  +0.000014]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[  +0.000022]  ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[  +0.000496]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004272]  ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[  +0.000492]  drm_ioctl_kernel+0x140/0x1f0 [drm]\n[  +0.000497]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[  +0.004297]  ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---(CVE-2024-26656)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\r\n\r\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\r\n\r\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio.  Thus causing a deadlock.\r\n\r\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty.  Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed.  Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\r\n\r\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\r\n\r\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.(CVE-2024-26696)",
+    "cves": [
+      {
+        "id": "CVE-2024-26696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1215": {
+    "id": "openEuler-SA-2024-1215",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1215",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.\n(CVE-2023-5841)",
+    "cves": [
+      {
+        "id": "CVE-2023-5841",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1296": {
+    "id": "openEuler-SA-2021-1296",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1296",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow flaw was found in glibc that may result in reading of arbitrary memory when wordexp is used with a specially crafted untrusted regular expression input.(CVE-2021-35942)",
+    "cves": [
+      {
+        "id": "CVE-2021-35942",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35942",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1270": {
+    "id": "openEuler-SA-2024-1270",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1270",
+    "title": "An update for glade is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Glade is a RAD tool to enable quick and easy development of user interfaces for the GTK+ toolkit and the GNOME desktop environment.\r\n\r\nSecurity Fix(es):\r\n\r\nplugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash).(CVE-2020-36774)",
+    "cves": [
+      {
+        "id": "CVE-2020-36774",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36774",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1328": {
+    "id": "openEuler-SA-2023-1328",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1328",
+    "title": "An update for hdf5 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka \"Invalid write of size 2.\"(CVE-2019-8396)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in the function H5F__accum_read in H5Faccum.c.(CVE-2018-13867)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_layout_decode in H5Olayout.c, related to HDmemcpy.(CVE-2018-14033)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_sdspace_decode in H5Osdspace.c.(CVE-2018-14460)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer over-read exists in the function H5O__layout_decode() located in H5Olayout.c. It allows an attacker to cause Denial of Service.(CVE-2020-10811)\r\n\r\nBuffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.(CVE-2021-37501)",
+    "cves": [
+      {
+        "id": "CVE-2021-37501",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37501",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1765": {
+    "id": "openEuler-SA-2023-1765",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1765",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.(CVE-2023-39192)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.(CVE-2023-42754)\r\n\r\nAn issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.(CVE-2023-45871)",
+    "cves": [
+      {
+        "id": "CVE-2023-45871",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1186": {
+    "id": "openEuler-SA-2021-1186",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1186",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThere's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.(CVE-2021-3487)",
+    "cves": [
+      {
+        "id": "CVE-2021-3487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3487",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1913": {
+    "id": "openEuler-SA-2023-1913",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1913",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nThis flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\r\n\r\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n(CVE-2023-46218)",
+    "cves": [
+      {
+        "id": "CVE-2023-46218",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46218",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2015": {
+    "id": "openEuler-SA-2022-2015",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2015",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.(CVE-2022-1184)\r\n\r\nA race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition(CVE-2022-3303)\r\n\r\ndrivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.(CVE-2022-41849)\r\n\r\nIn binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel(CVE-2022-20421)\r\n\r\nIn emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel(CVE-2022-20422)\n\nA vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.(CVE-2022-3435)\n\nAn issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.(CVE-2022-41674)\n\nroccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.(CVE-2022-41850)\n\nmm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.(CVE-2022-42703)\n\nA use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.(CVE-2022-42719)\n\nVarious refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.(CVE-2022-42720)\n\nA list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.(CVE-2022-42721)",
+    "cves": [
+      {
+        "id": "CVE-2022-42721",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42721",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1188": {
+    "id": "openEuler-SA-2024-1188",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1188",
+    "title": "An update for libgit2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language which supports C bindings.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1484": {
+    "id": "openEuler-SA-2023-1484",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1484",
+    "title": "An update for sqlite is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nsqlite3 v3.40.1 was discovered to contain a segmentation violation at /sqlite3_aflpp/shell.c.(CVE-2023-36191)",
+    "cves": [
+      {
+        "id": "CVE-2023-36191",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36191",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1940": {
+    "id": "openEuler-SA-2022-1940",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1940",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the \"virt_ext\" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.(CVE-2021-3656)\r\n\r\nAn out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.(CVE-2021-4157)\r\n\r\nA flaw was found in the sctp_make_strreset_req function in net/sctp/sm_make_chunk.c in the SCTP network protocol in the Linux kernel with a local user privilege access. In this flaw, an attempt to use more buffer than is allocated triggers a BUG_ON issue, leading to a denial of service (DOS).(CVE-2022-0322)\r\n\r\n** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.(CVE-2021-3894)\r\n\r\nIn the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.(CVE-2021-45868)\n\nA NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.(CVE-2022-3202)",
+    "cves": [
+      {
+        "id": "CVE-2022-3202",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3202",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1325": {
+    "id": "openEuler-SA-2023-1325",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1325",
+    "title": "An update for hdf5 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka \"Invalid write of size 2.\"(CVE-2019-8396)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in the function H5F__accum_read in H5Faccum.c.(CVE-2018-13867)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_layout_decode in H5Olayout.c, related to HDmemcpy.(CVE-2018-14033)\r\n\r\nAn issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_sdspace_decode in H5Osdspace.c.(CVE-2018-14460)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer over-read exists in the function H5O__layout_decode() located in H5Olayout.c. It allows an attacker to cause Denial of Service.(CVE-2020-10811)\r\n\r\nBuffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.(CVE-2021-37501)",
+    "cves": [
+      {
+        "id": "CVE-2021-37501",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37501",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1628": {
+    "id": "openEuler-SA-2022-1628",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1628",
+    "title": "An update for evolution-data-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The evolution-data-server package provides a personal information management application that provides integrated mail, calendaring and address book functionality. The evolution-data-server package provides a single database for common, desktop-wide information, such as a user's address book or calendar events.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server.(CVE-2020-16117)",
+    "cves": [
+      {
+        "id": "CVE-2020-16117",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16117",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1368": {
+    "id": "openEuler-SA-2024-1368",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1368",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nIf an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.(CVE-2022-1802)",
+    "cves": [
+      {
+        "id": "CVE-2022-1802",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1802",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1743": {
+    "id": "openEuler-SA-2022-1743",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1743",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\ncontainerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an \"exec\" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.(CVE-2022-31030)",
+    "cves": [
+      {
+        "id": "CVE-2022-31030",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31030",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1778": {
+    "id": "openEuler-SA-2022-1778",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1778",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments.(CVE-2021-3905)",
+    "cves": [
+      {
+        "id": "CVE-2021-3905",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3905",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1340": {
+    "id": "openEuler-SA-2023-1340",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1340",
+    "title": "An update for c-ares is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)",
+    "cves": [
+      {
+        "id": "CVE-2023-31147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1601": {
+    "id": "openEuler-SA-2022-1601",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1601",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nGStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.(CVE-2021-3522)",
+    "cves": [
+      {
+        "id": "CVE-2021-3522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1330": {
+    "id": "openEuler-SA-2024-1330",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1330",
+    "title": "An update for python-yaql is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "YAQL (Yet Another Query Language) is an embeddable and extensible query language, that allows performing complex queries against arbitrary objects. It has a vast and comprehensive standard library of frequently used querying functions and can be extend even further with user-specified functions. YAQL is written in python and is distributed via PyPI.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.(CVE-2024-29156)",
+    "cves": [
+      {
+        "id": "CVE-2024-29156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1167": {
+    "id": "openEuler-SA-2024-1167",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1167",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680)",
+    "cves": [
+      {
+        "id": "CVE-2024-24680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1207": {
+    "id": "openEuler-SA-2024-1207",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1207",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.(CVE-2023-3966)",
+    "cves": [
+      {
+        "id": "CVE-2023-3966",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3966",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1337": {
+    "id": "openEuler-SA-2023-1337",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1337",
+    "title": "An update for cpio is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "GNU cpio copies files into or out of a cpio or tar archive.The archive can be another file on the disk, a magnetic tape, or a pipe.\r\n\r\nSecurity Fix(es):\r\n\r\ncpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.(CVE-2015-1197)",
+    "cves": [
+      {
+        "id": "CVE-2015-1197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1197",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1875": {
+    "id": "openEuler-SA-2023-1875",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1875",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.(CVE-2023-1544)",
+    "cves": [
+      {
+        "id": "CVE-2023-1544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1921": {
+    "id": "openEuler-SA-2023-1921",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1921",
+    "title": "An update for jackson-databind is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\nSecurity Fix(es):\r\n\r\njackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.(CVE-2020-36518)\r\n\r\nIn FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1(CVE-2022-42003)\r\n\r\nIn FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.(CVE-2022-42004)",
+    "cves": [
+      {
+        "id": "CVE-2022-42004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1792": {
+    "id": "openEuler-SA-2024-1792",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1792",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs\r\n\r\nIt is observed sometimes when tethering is used over NCM with Windows 11\nas host, at some instances, the gadget_giveback has one byte appended at\nthe end of a proper NTB. When the NTB is parsed, unwrap call looks for\nany leftover bytes in SKB provided by u_ether and if there are any pending\nbytes, it treats them as a separate NTB and parses it. But in case the\nsecond NTB (as per unwrap call) is faulty/corrupt, all the datagrams that\nwere parsed properly in the first NTB and saved in rx_list are dropped.\r\n\r\nAdding a few custom traces showed the following:\n[002] d..1  7828.532866: dwc3_gadget_giveback: ep1out:\nreq 000000003868811a length 1025/16384 zsI ==> 0\n[002] d..1  7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025\n[002] d..1  7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10\n[002] d..1  7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames\r\n\r\nIn this case, the giveback is of 1025 bytes and block length is 1024.\nThe rest 1 byte (which is 0x00) won't be parsed resulting in drop of\nall datagrams in rx_list.\r\n\r\nSame is case with packets of size 2048:\n[002] d..1  7828.557948: dwc3_gadget_giveback: ep1out:\nreq 0000000011dfd96e length 2049/16384 zsI ==> 0\n[002] d..1  7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1  7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800\r\n\r\nLecroy shows one byte coming in extra confirming that the byte is coming\nin from PC:\r\n\r\n Transfer 2959 - Bytes Transferred(1025)  Timestamp((18.524 843 590)\n - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)\n --- Packet 4063861\n       Data(1024 bytes)\n       Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)\n --- Packet 4063863\n       Data(1 byte)\n       Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)\r\n\r\nAccording to Windows driver, no ZLP is needed if wBlockLength is non-zero,\nbecause the non-zero wBlockLength has already told the function side the\nsize of transfer to be expected. However, there are in-market NCM devices\nthat rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.\nTo deal with such devices, it pads an extra 0 at end so the transfer is no\nlonger multiple of wMaxPacketSize.(CVE-2024-27405)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()\r\n\r\nIt seems that if userspace provides a correct IFA_TARGET_NETNSID value\nbut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()\nreturns -EINVAL with an elevated \"struct net\" refcount.(CVE-2024-27417)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: flush pending destroy work before exit_net release\r\n\r\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\r\n\r\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\r\n\r\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991]  <TASK>\n[ 1360.547998]  dump_stack_lvl+0x53/0x70\n[ 1360.548014]  print_report+0xc4/0x610\n[ 1360.548026]  ? __virt_addr_valid+0xba/0x160\n[ 1360.548040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176]  kasan_report+0xae/0xe0\n[ 1360.548189]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312]  nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577]  ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591]  process_one_work+0x2f1/0x670\n[ 1360.548610]  worker_thread+0x4d3/0x760\n[ 1360.548627]  ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640]  kthread+0x16b/0x1b0\n[ 1360.548653]  ? __pfx_kthread+0x10/0x10\n[ 1360.548665]  ret_from_fork+0x2f/0x50\n[ 1360.548679]  ? __pfx_kthread+0x10/0x10\n[ 1360.548690]  ret_from_fork_asm+0x1a/0x30\n[ 1360.548707]  </TASK>\r\n\r\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726]  kasan_save_stack+0x20/0x40\n[ 1360.548739]  kasan_save_track+0x14/0x30\n[ 1360.548750]  __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760]  __kmalloc_node+0x1f1/0x450\n[ 1360.548771]  nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883]  nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909]  nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927]  netlink_unicast+0x367/0x4f0\n[ 1360.548935]  netlink_sendmsg+0x34b/0x610\n[ 1360.548944]  ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953]  ___sys_sendmsg+0xc9/0x120\n[ 1360.548961]  __sys_sendmsg+0xbe/0x140\n[ 1360.548971]  do_syscall_64+0x55/0x120\n[ 1360.548982]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\r\n\r\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999]  kasan_save_stack+0x20/0x40\n[ 1360.549009]  kasan_save_track+0x14/0x30\n[ 1360.549019]  kasan_save_free_info+0x3b/0x60\n[ 1360.549028]  poison_slab_object+0x100/0x180\n[ 1360.549036]  __kasan_slab_free+0x14/0x30\n[ 1360.549042]  kfree+0xb6/0x260\n[ 1360.549049]  __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131]  nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221]  ops_exit_list+0x50/0xa0\n[ 1360.549229]  free_exit_list+0x101/0x140\n[ 1360.549236]  unregister_pernet_operations+0x107/0x160\n[ 1360.549245]  unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254]  nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345]  __do_sys_delete_module+0x253/0x370\n[ 1360.549352]  do_syscall_64+0x55/0x120\n[ 1360.549360]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\r\n\r\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349           list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350                   list_del(&flowtable->list);\n11351                   nft_use_dec(&table->use);\n11352                   nf_tables_flowtable_destroy(flowtable);\n11353           }\n11354           list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355                   list_del(&set->list);\n11356                   nft_use_dec(&table->use);\n11357                   if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358                           nft_map_deactivat\n---truncated---(CVE-2024-35899)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndyndbg: fix old BUG_ON in >control parser\r\n\r\nFix a BUG_ON from 2009.  Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.(CVE-2024-35947)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\r\n\r\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\r\n\r\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\r\n\r\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.(CVE-2024-36974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\r\n\r\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\r\n\r\n  alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n  ...\n  delivered_ce <<= (10 - dctcp_shift_g);\r\n\r\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\r\n\r\n  memcpy((void*)0x20000080,\n         \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n                /*flags=*/2ul, /*mode=*/0ul);\n  memcpy((void*)0x20000000, \"100\\000\", 4);\n  syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\r\n\r\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\r\n\r\nWith this patch:\r\n\r\n  # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  10\n  # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  -bash: echo: write error: Invalid argument\r\n\r\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: xmit: make sure we have at least eth header len bytes\r\n\r\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\r\n\r\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\r\n\r\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-38538)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nof: module: add buffer overflow check in of_modalias()\r\n\r\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).(CVE-2024-38541)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\r\n\r\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\r\n\r\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.(CVE-2024-38549)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\r\n\r\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.(CVE-2024-38553)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Discard command completions in internal error\r\n\r\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\r\n\r\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n<IRQ>\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x22/0x40(CVE-2024-38555)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Add a timeout to acquire the command queue semaphore\r\n\r\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\r\n\r\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion(CVE-2024-38556)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\r\n\r\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\r\n\r\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.(CVE-2024-38564)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\r\n\r\nThe \"buf\" pointer is an array of u16 values.  This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.(CVE-2024-38587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: prevent xattr node from overflowing the eraseblock\r\n\r\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\r\n\r\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\r\n\r\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\r\n\r\nThis breaks the filesystem and can lead to KASAN crashes such as:\r\n\r\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-38599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\r\n\r\nFor example, in the expression:\n\tvbo = 2 * vbo + skip(CVE-2024-38624)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\r\n\r\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\r\n\r\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.(CVE-2024-38630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ap: Fix crash in AP internal function modify_bitmap()\r\n\r\nA system crash like this\r\n\r\n  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n  Fault in home space mode while using kernel ASCE.\n  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n  Oops: 0038 ilc:3 [#1] PREEMPT SMP\n  Modules linked in: mlx5_ib ...\n  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n  Hardware name: IBM 3931 A01 704 (LPAR)\n  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a\n  0000014b75e7b600: 18b2                lr      %r11,%r2\n  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616\n  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)\n  0000014b75e7b60c: a7680001            lhi     %r6,1\n  0000014b75e7b610: 187b                lr      %r7,%r11\n  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654\n  0000014b75e7b616: 18e9                lr      %r14,%r9\n  Call Trace:\n  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n  [<0000014b75e7b758>] apmask_store+0x68/0x140\n  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n  [<0000014b75598524>] vfs_write+0x1b4/0x448\n  [<0000014b7559894c>] ksys_write+0x74/0x100\n  [<0000014b7618a440>] __do_syscall+0x268/0x328\n  [<0000014b761a3558>] system_call+0x70/0x98\n  INFO: lockdep is turned off.\n  Last Breaking-Event-Address:\n  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\r\n\r\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\r\n\r\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.(CVE-2024-38661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: Add winch to winch_handlers before registering winch IRQ\r\n\r\nRegistering a winch IRQ is racy, an interrupt may occur before the winch is\nadded to the winch_handlers list.\r\n\r\nIf that happens, register_winch_irq() adds to that list a winch that is\nscheduled to be (or has already been) freed, causing a panic later in\nwinch_cleanup().\r\n\r\nAvoid the race by adding the winch to the winch_handlers list before\nregistering the IRQ, and rolling back if um_request_irq() fails.(CVE-2024-39292)",
+    "cves": [
+      {
+        "id": "CVE-2024-38553",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553",
+        "severity": "High"
+      },
+      {
+        "id": "CVE-2024-39292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39292",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1170": {
+    "id": "openEuler-SA-2021-1170",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1170",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\ncurl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly \"short-cut\" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.(CVE-2021-22890)\r\n\r\ncurl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.(CVE-2021-22876)",
+    "cves": [
+      {
+        "id": "CVE-2021-22876",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1998": {
+    "id": "openEuler-SA-2023-1998",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1998",
+    "title": "An update for mybatis is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools. To use the MyBatis data mapper, you rely on your own objects, XML, and SQL. There is little to learn that you don't already know. With the MyBatis data mapper, you have the full power of both SQL and stored procedures at your fingertips. The MyBatis project is developed and maintained by a team that includes the original creators of the \"iBATIS\" data mapper. The Apache project was retired and continued here.\r\n\r\nSecurity Fix(es):\r\n\r\nA SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.(CVE-2023-25330)",
+    "cves": [
+      {
+        "id": "CVE-2023-25330",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25330",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1756": {
+    "id": "openEuler-SA-2023-1756",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1756",
+    "title": "An update for samba is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.(CVE-2023-3961)\r\n\r\nA vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module \"acl_xattr\" is configured with \"acl_xattr:ignore system acls = yes\". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.(CVE-2023-4091)\r\n\r\nA vulnerability was found in Samba's \"rpcecho\" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the \"rpcecho\" service operates with only one worker in the main RPC task, allowing calls to the \"rpcecho\" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a \"sleep()\" call in the \"dcesrv_echo_TestSleep()\" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the \"rpcecho\" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as \"rpcecho\" runs in the main RPC task.(CVE-2023-42669)\r\n\r\nA flaw was found in Samba. It is susceptible to a vulnerability where multiple incompatible RPC listeners can be initiated, causing disruptions in the AD DC service. When Samba's RPC server experiences a high load or unresponsiveness, servers intended for non-AD DC purposes (for example, NT4-emulation \"classic DCs\") can erroneously start and compete for the same unix domain sockets. This issue leads to partial query responses from the AD DC, causing issues such as \"The procedure number is out of range\" when using tools like Active Directory Users. This flaw allows an attacker to disrupt AD DC services.(CVE-2023-42670)",
+    "cves": [
+      {
+        "id": "CVE-2023-42670",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42670",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1412": {
+    "id": "openEuler-SA-2024-1412",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1412",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.  Further, this error condition fails silently and is therefore not easily detected by an application.(CVE-2024-2398)",
+    "cves": [
+      {
+        "id": "CVE-2024-2398",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1777": {
+    "id": "openEuler-SA-2022-1777",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1777",
+    "title": "An update for harfbuzz is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "HarfBuzz is a text-shaping engine. If you give HarfBuzz a font and a string containing a sequence of Unicode codepoints, HarfBuzz selects and positions the corresponding glyphs from the font, applying all of the necessary layout rules and font features. HarfBuzz then returns the string to you in the form that is correctly arranged for the language and writing system.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.(CVE-2022-33068)",
+    "cves": [
+      {
+        "id": "CVE-2022-33068",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33068",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1842": {
+    "id": "openEuler-SA-2023-1842",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1842",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.(CVE-2022-45884)\r\n\r\nRejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-35823. Reason: This candidate is a reservation duplicate of CVE-2023-35823. Notes: All CVE users should reference CVE-2023-35823 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2023-3327)\r\n\r\nA race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.(CVE-2023-39198)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\r\n\r\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\r\n\r\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\r\n\r\n(CVE-2023-4623)",
+    "cves": [
+      {
+        "id": "CVE-2023-4623",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4623",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1198": {
+    "id": "openEuler-SA-2021-1198",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1198",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in ImageMagick in MagickCore/quantum-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger a heap buffer overflow. This would most likely lead to an impact to application availability, but could potentially lead to an impact to data integrity as well. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27752)\r\n\r\nA flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-20313)\r\n\r\nA flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.(CVE-2021-20311)\r\n\r\nA flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this vulnerability is to system availability.(CVE-2021-20312)\r\n\r\nA flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability.(CVE-2021-20309)\r\n\r\nIn ImageMagick versions before 7.0.9-0, there are outside the range of representable values of type 'float' at MagickCore/quantize.c.(CVE-2020-27769)",
+    "cves": [
+      {
+        "id": "CVE-2020-27769",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27769",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1157": {
+    "id": "openEuler-SA-2023-1157",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1157",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation. In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free. We recommend upgrading past version 5.10.161.(CVE-2023-0240)\r\n\r\nA memory leak flaw and potential divide by zero and Integer overflow was found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the system if vivid test code enabled.(CVE-2023-0615)\r\n\r\nThe Linux kernel does not correctly mitigate SMT attacks, as discovered\nthrough a strange pattern in the kernel API using STIBP as a mitigation[1\n<https://docs.kernel.org/userspace-api/spec_ctrl.html>], leaving the\nprocess exposed for a short period of time after a syscall. The kernel also\ndoes not issue an IBPB immediately during the syscall.\nThe ib_prctl_set [2\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/cpu/bugs.c#L1467>]function\nupdates the Thread Information Flags (TIFs) for the task and updates the\nSPEC_CTRL MSR on the function __speculation_ctrl_update [3\n<https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/process.c#L557>],\nbut the IBPB is only issued on the next schedule, when the TIF bits are\nchecked. This leaves the victim vulnerable to values already injected on\nthe BTB, prior to the prctl syscall.\nThe behavior is only corrected after a reschedule of the task happens.\nFurthermore, the kernel entrance (due to the syscall itself), does not\nissue an IBPB in the default scenarios (i.e., when the kernel protects\nitself via retpoline or eIBRS).(CVE-2023-0045)\r\n\r\nDue to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring(CVE-2023-23586)",
+    "cves": [
+      {
+        "id": "CVE-2023-23586",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23586",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1438": {
+    "id": "openEuler-SA-2021-1438",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1438",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases.(CVE-2021-43396)",
+    "cves": [
+      {
+        "id": "CVE-2021-43396",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43396",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1387": {
+    "id": "openEuler-SA-2023-1387",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1387",
+    "title": "An update for qt5-qtbase is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.(CVE-2023-32762)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.(CVE-2023-32763)",
+    "cves": [
+      {
+        "id": "CVE-2023-32763",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32763",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1775": {
+    "id": "openEuler-SA-2023-1775",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1775",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)(CVE-2023-5217)",
+    "cves": [
+      {
+        "id": "CVE-2023-5217",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5217",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1984": {
+    "id": "openEuler-SA-2022-1984",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1984",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2022-3239)",
+    "cves": [
+      {
+        "id": "CVE-2022-3239",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3239",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1436": {
+    "id": "openEuler-SA-2024-1436",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1436",
+    "title": "An update for pcp is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PCP provides a range of services that may be used to monitor and manage system performance. These services are distributed and scalable to accommodate the most complex system configurations and performance problems.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.(CVE-2024-3019)",
+    "cves": [
+      {
+        "id": "CVE-2024-3019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3019",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1304": {
+    "id": "openEuler-SA-2021-1304",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1304",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nOpen vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action.(CVE-2021-36980)",
+    "cves": [
+      {
+        "id": "CVE-2021-36980",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36980",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1384": {
+    "id": "openEuler-SA-2021-1384",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1384",
+    "title": "An update for tpm2-tools is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The package contains the code for the TPM (Trusted Platform Module) 2.0 tools based on tpm2-tss.\n\nThe tpm2-tools projects aims to deliver both low-level and aggregate command line tools that provide access to a tpm2.0 compatible device.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3565)",
+    "cves": [
+      {
+        "id": "CVE-2021-3565",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3565",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1081": {
+    "id": "openEuler-SA-2024-1081",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1081",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1854": {
+    "id": "openEuler-SA-2023-1854",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1854",
+    "title": "An update for python-aiohttp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Async http client/server framework (asyncio).\r\n\r\nSecurity Fix(es):\r\n\r\naiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-47641)",
+    "cves": [
+      {
+        "id": "CVE-2023-47641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47641",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1326": {
+    "id": "openEuler-SA-2024-1326",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1326",
+    "title": "An update for bind is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers.\nThis issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-4408)\r\n\r\nCertain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)\r\n\r\nA flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when:\r\n\r\n  - `nxdomain-redirect <domain>;` is configured, and\n  - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response.\nThis issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5517)\r\n\r\nA bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled.\nThis issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.(CVE-2023-5679)\r\n\r\nTo keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.(CVE-2023-6516)",
+    "cves": [
+      {
+        "id": "CVE-2023-6516",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6516",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1311": {
+    "id": "openEuler-SA-2023-1311",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1311",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.(CVE-2023-32067)",
+    "cves": [
+      {
+        "id": "CVE-2023-32067",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32067",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1246": {
+    "id": "openEuler-SA-2024-1246",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1246",
+    "title": "An update for atril is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
+    "cves": [
+      {
+        "id": "CVE-2023-52076",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1340": {
+    "id": "openEuler-SA-2024-1340",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1340",
+    "title": "An update for gstreamer1-plugins-base is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GStreamer is a graphics library for built-in media processing components. BasePlug-ins is a the collections used to maintain the GStreamer plugin.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.\r\n\r\nhttps://gstreamer.freedesktop.org/security/sa-2023-0002.html(CVE-2023-37328)",
+    "cves": [
+      {
+        "id": "CVE-2023-37328",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37328",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1431": {
+    "id": "openEuler-SA-2021-1431",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1431",
+    "title": "An update for rpm is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "The RPM Package Manager (RPM) is a powerful package management system capability as below\r\n\r\nSecurity Fix(es):\r\n\r\nThe OpenPGP subkey is associated with the master key through a binding signature. RPM will not check their binding signature before importing the subkey; if the attacker can add it or the other party of social engineering adds the malicious subkey to the legal public Key, RPM may mistakenly trust malicious signatures.(CVE-2021-3521)",
+    "cves": [
+      {
+        "id": "CVE-2021-3521",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3521",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1044": {
+    "id": "openEuler-SA-2023-1044",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1044",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2022-23521)\r\n\r\nGit is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.(CVE-2022-41903)",
+    "cves": [
+      {
+        "id": "CVE-2022-41903",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41903",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1527": {
+    "id": "openEuler-SA-2023-1527",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1527",
+    "title": "An update for krb5 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.(CVE-2023-36054)",
+    "cves": [
+      {
+        "id": "CVE-2023-36054",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1609": {
+    "id": "openEuler-SA-2022-1609",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1609",
+    "title": "An update for python-paramiko is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Paramiko is a combination of the Esperanto words for \"paranoid\" and \"friend\". It is a module for Python 2.7/3.4+ that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.(CVE-2022-24302)",
+    "cves": [
+      {
+        "id": "CVE-2022-24302",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24302",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1787": {
+    "id": "openEuler-SA-2024-1787",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1787",
+    "title": "An update for glib2 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "GLib is a bundle of three (formerly five) low-level system libraries written in C and developed mainly by GNOME. GLib's code was separated from GTK, so it can be used by software other than GNOME and has been developed in parallel ever since.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.(CVE-2024-34397)",
+    "cves": [
+      {
+        "id": "CVE-2024-34397",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1625": {
+    "id": "openEuler-SA-2022-1625",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1625",
+    "title": "An update for xerces-j2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Welcome to the future! Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.\n\nThe Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.\n\nXerces 2 is a fully conforming XML Schema processor. For more information, refer to the XML Schema page.\n\nXerces 2 also provides a partial implementation of Document Object Model Level 3 Core, Load and Save and Abstract Schemas [deprecated] Working Drafts. For more information, refer to the DOM Level 3 Implementation page.\r\n\r\nSecurity Fix(es):\r\n\r\nThere s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.(CVE-2022-23437)",
+    "cves": [
+      {
+        "id": "CVE-2022-23437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2072": {
+    "id": "openEuler-SA-2022-2072",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2072",
+    "title": "An update for xterm is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The xterm program is a terminal emulator for the X Window System.It provides DEC VT102 and Tektronix 4014 compatible terminals.\r\n\r\nSecurity Fix(es):\r\n\r\nxterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.(CVE-2022-24130)",
+    "cves": [
+      {
+        "id": "CVE-2022-24130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1949": {
+    "id": "openEuler-SA-2022-1949",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1949",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcRenderCompositeGlyphs function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-4008)\r\n\r\nA flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-4009)\r\n\r\nA security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.(CVE-2021-4010)\r\n\r\nA flaw was found in xorg-x11-server in versions before 21.1.2 and before 1.20.14. An out-of-bounds access can occur in the SwapCreateRegister function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-4011)",
+    "cves": [
+      {
+        "id": "CVE-2021-4011",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4011",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1987": {
+    "id": "openEuler-SA-2022-1987",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1987",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nNull pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2019-14584)\r\n\r\nInsufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.(CVE-2019-11098)",
+    "cves": [
+      {
+        "id": "CVE-2019-11098",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11098",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1624": {
+    "id": "openEuler-SA-2024-1624",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1624",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nnscd: Stack-based buffer overflow in netgroup cache\r\n\r\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow.  This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\n(CVE-2024-33599)\r\n\r\nnscd: Null pointer crashes after notfound response\r\n\r\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference.  This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33600)\r\n\r\nnscd: netgroup cache may terminate daemon on memory allocation failure\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients.  The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33601)\r\n\r\nnscd: netgroup cache assumes NSS callback uses in-buffer strings\r\n\r\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\r\n\r\nThis vulnerability is only present in the nscd binary.\r\n\r\n(CVE-2024-33602)",
+    "cves": [
+      {
+        "id": "CVE-2024-33602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2131": {
+    "id": "openEuler-SA-2022-2131",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2131",
+    "title": "An update for emacs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Emacs is the extensible, customizable, self-documenting real-time display editor.At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing. And it is an entire ecosystem of functionality beyond text editing, including a project planner, mail and news reader, debugger interface, calendar, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the \"ctags *\" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.(CVE-2022-45939)",
+    "cves": [
+      {
+        "id": "CVE-2022-45939",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45939",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1694": {
+    "id": "openEuler-SA-2023-1694",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1694",
+    "title": "An update for ctags is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Ctags generates an index (or tag) file of language objects found in source files that allows these items to be quickly and easily located by a text editor or other utility. A tag signifies a language object for which an index entry is available (or, alternatively, the index entry created for that object).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Exuberant Ctags in the way it handles the \"-o\" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.(CVE-2022-4515)",
+    "cves": [
+      {
+        "id": "CVE-2022-4515",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4515",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1735": {
+    "id": "openEuler-SA-2023-1735",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1735",
+    "title": "An update for gcc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The gcc package contains the GNU Compiler Collection version 10. You'll need this package in order to compile C code.\r\n\r\nSecurity Fix(es):\r\n\r\n\r\n\r\nA failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\r\n\r\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity.\r\n\r\n\r\n\r\n\r\n\r\n(CVE-2023-4039)",
+    "cves": [
+      {
+        "id": "CVE-2023-4039",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1915": {
+    "id": "openEuler-SA-2023-1915",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1915",
+    "title": "An update for varnish is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.(CVE-2022-45059)",
+    "cves": [
+      {
+        "id": "CVE-2022-45059",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45059",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1261": {
+    "id": "openEuler-SA-2023-1261",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1261",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer. Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\n\r\n\r\nSecurity Fix(es):\r\n\r\nLISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file(CVE-2023-1993)\r\n\r\nRPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file(CVE-2023-1992)\r\n\r\nGQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file(CVE-2023-1994)",
+    "cves": [
+      {
+        "id": "CVE-2023-1994",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1994",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1164": {
+    "id": "openEuler-SA-2023-1164",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1164",
+    "title": "An update for snakeyaml is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752)\r\n\r\nThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)",
+    "cves": [
+      {
+        "id": "CVE-2022-41854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1288": {
+    "id": "openEuler-SA-2024-1288",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1288",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nBy using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.(CVE-2022-22755)",
+    "cves": [
+      {
+        "id": "CVE-2022-22755",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22755",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1108": {
+    "id": "openEuler-SA-2021-1108",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1108",
+    "title": "An update for gnome-autoar is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Automatic archives creating and extracting library.\r\n\r\nSecurity Fix(es):\r\n\r\nautoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.(CVE-2020-36241)",
+    "cves": [
+      {
+        "id": "CVE-2020-36241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36241",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1734": {
+    "id": "openEuler-SA-2024-1734",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1734",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.(CVE-2024-5458)",
+    "cves": [
+      {
+        "id": "CVE-2024-5458",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5458",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1426": {
+    "id": "openEuler-SA-2024-1426",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1426",
+    "title": "An update for flatpak is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.(CVE-2023-28100)\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.(CVE-2023-28101)",
+    "cves": [
+      {
+        "id": "CVE-2023-28101",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28101",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1688": {
+    "id": "openEuler-SA-2023-1688",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1688",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.(CVE-2023-4806)\r\n\r\nA flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.(CVE-2023-4813)\r\n\r\nA flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.(CVE-2023-5156)",
+    "cves": [
+      {
+        "id": "CVE-2023-5156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1397": {
+    "id": "openEuler-SA-2023-1397",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1397",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. Quoting ZDI security advisory [1]:\n\n\"This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the processing of seg6 attributes. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.\"\n\n[1] https://www.zerodayinitiative.com/advisories/ZDI-CAN-18511/(CVE-2023-2860)\n\nA known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.(CVE-2023-3006)\n\nA use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.(CVE-2023-3159)\n\nA flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.(CVE-2023-3161)\n\n** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.(CVE-2023-34256)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.(CVE-2023-35823)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.(CVE-2023-35828)",
+    "cves": [
+      {
+        "id": "CVE-2023-35828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1305": {
+    "id": "openEuler-SA-2024-1305",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1305",
+    "title": "An update for perl-Net-CIDR-Lite is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.(CVE-2021-47154)",
+    "cves": [
+      {
+        "id": "CVE-2021-47154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47154",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1759": {
+    "id": "openEuler-SA-2024-1759",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1759",
+    "title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.(CVE-2022-3341)",
+    "cves": [
+      {
+        "id": "CVE-2022-3341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3341",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1870": {
+    "id": "openEuler-SA-2023-1870",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1870",
+    "title": "An update for gdb is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.(CVE-2023-39130)",
+    "cves": [
+      {
+        "id": "CVE-2023-39130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1496": {
+    "id": "openEuler-SA-2024-1496",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1496",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvt: fix memory overlapping when deleting chars in the buffer\r\n\r\nA memory overlapping copy occurs when deleting a long line. This memory\noverlapping copy can cause data corruption when scr_memcpyw is optimized\nto memcpy because memcpy does not ensure its behavior if the destination\nbuffer overlaps with the source buffer. The line buffer is not always\nbroken, because the memcpy utilizes the hardware acceleration, whose\nresult is not deterministic.\r\n\r\nFix this problem by using replacing the scr_memcpyw with scr_memmovew.(CVE-2022-48627)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: qcom-rng - ensure buffer for generate is completely filled\r\n\r\nThe generate function in struct rng_alg expects that the destination\nbuffer is completely filled if the function returns 0. qcom_rng_read()\ncan run into a situation where the buffer is partially filled with\nrandomness and the remaining part of the buffer is zeroed since\nqcom_rng_generate() doesn't check the return value. This issue can\nbe reproduced by running the following from libkcapi:\r\n\r\n    kcapi-rng -b 9000000 > OUTFILE\r\n\r\nThe generated OUTFILE will have three huge sections that contain all\nzeros, and this is caused by the code where the test\n'val & PRNG_STATUS_DATA_AVAIL' fails.\r\n\r\nLet's fix this issue by ensuring that qcom_rng_read() always returns\nwith a full buffer if the function returns success. Let's also have\nqcom_rng_generate() return the correct value.\r\n\r\nHere's some statistics from the ent project\n(https://www.fourmilab.ch/random/) that shows information about the\nquality of the generated numbers:\r\n\r\n    $ ent -c qcom-random-before\n    Value Char Occurrences Fraction\n      0           606748   0.067416\n      1            33104   0.003678\n      2            33001   0.003667\n    ...\n    253   �        32883   0.003654\n    254   �        33035   0.003671\n    255   �        33239   0.003693\r\n\r\n    Total:       9000000   1.000000\r\n\r\n    Entropy = 7.811590 bits per byte.\r\n\r\n    Optimum compression would reduce the size\n    of this 9000000 byte file by 2 percent.\r\n\r\n    Chi square distribution for 9000000 samples is 9329962.81, and\n    randomly would exceed this value less than 0.01 percent of the\n    times.\r\n\r\n    Arithmetic mean value of data bytes is 119.3731 (127.5 = random).\n    Monte Carlo value for Pi is 3.197293333 (error 1.77 percent).\n    Serial correlation coefficient is 0.159130 (totally uncorrelated =\n    0.0).\r\n\r\nWithout this patch, the results of the chi-square test is 0.01%, and\nthe numbers are certainly not random according to ent's project page.\nThe results improve with this patch:\r\n\r\n    $ ent -c qcom-random-after\n    Value Char Occurrences Fraction\n      0            35432   0.003937\n      1            35127   0.003903\n      2            35424   0.003936\n    ...\n    253   �        35201   0.003911\n    254   �        34835   0.003871\n    255   �        35368   0.003930\r\n\r\n    Total:       9000000   1.000000\r\n\r\n    Entropy = 7.999979 bits per byte.\r\n\r\n    Optimum compression would reduce the size\n    of this 9000000 byte file by 0 percent.\r\n\r\n    Chi square distribution for 9000000 samples is 258.77, and randomly\n    would exceed this value 42.24 percent of the times.\r\n\r\n    Arithmetic mean value of data bytes is 127.5006 (127.5 = random).\n    Monte Carlo value for Pi is 3.141277333 (error 0.01 percent).\n    Serial correlation coefficient is 0.000468 (totally uncorrelated =\n    0.0).\r\n\r\nThis change was tested on a Nexus 5 phone (msm8974 SoC).(CVE-2022-48629)\r\n\r\nThe brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.(CVE-2023-47233)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm: Don't unref the same fb many times by mistake due to deadlock handling\r\n\r\nIf we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()\nwe proceed to unref the fb and then retry the whole thing from the top.\nBut we forget to reset the fb pointer back to NULL, and so if we then\nget another error during the retry, before the fb lookup, we proceed\nthe unref the same fb again without having gotten another reference.\nThe end result is that the fb will (eventually) end up being freed\nwhile it's still in use.\r\n\r\nReset fb to NULL once we've unreffed it to avoid doing it again\nuntil we've done another fb lookup.\r\n\r\nThis turned out to be pretty easy to hit on a DG2 when doing async\nflips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I\nsaw that drm_closefb() simply got stuck in a busy loop while walking\nthe framebuffer list. Fortunately I was able to convince it to oops\ninstead, and from there it was easier to track down the culprit.(CVE-2023-52486)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/alternatives: Disable KASAN in apply_alternatives()\r\n\r\nFei has reported that KASAN triggers during apply_alternatives() on\na 5-level paging machine:\r\n\r\n\tBUG: KASAN: out-of-bounds in rcu_is_watching()\n\tRead of size 4 at addr ff110003ee6419a0 by task swapper/0/0\n\t...\n\t__asan_load4()\n\trcu_is_watching()\n\ttrace_hardirqs_on()\n\ttext_poke_early()\n\tapply_alternatives()\n\t...\r\n\r\nOn machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)\ngets patched. It includes KASAN code, where KASAN_SHADOW_START depends on\n__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().\r\n\r\nKASAN gets confused when apply_alternatives() patches the\nKASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START\nstatic, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.\r\n\r\nFix it for real by disabling KASAN while the kernel is patching alternatives.\r\n\r\n[ mingo: updated the changelog ](CVE-2023-52504)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: llcp: Add lock when modifying device list\r\n\r\nThe device list needs its associated lock held when modifying it, or the\nlist could become corrupted, as syzbot discovered.(CVE-2023-52524)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nteam: fix null-ptr-deref when team device type is changed\r\n\r\nGet a null-ptr-deref bug as follows with reproducer [1].\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000228\n...\nRIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]\n...\nCall Trace:\n <TASK>\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x150\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? vlan_dev_hard_header+0x35/0x140 [8021q]\n ? vlan_dev_hard_header+0x8e/0x140 [8021q]\n neigh_connected_output+0xb2/0x100\n ip6_finish_output2+0x1cb/0x520\n ? nf_hook_slow+0x43/0xc0\n ? ip6_mtu+0x46/0x80\n ip6_finish_output+0x2a/0xb0\n mld_sendpack+0x18f/0x250\n mld_ifc_work+0x39/0x160\n process_one_work+0x1e6/0x3f0\n worker_thread+0x4d/0x2f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe5/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\r\n\r\n[1]\n$ teamd -t team0 -d -c '{\"runner\": {\"name\": \"loadbalance\"}}'\n$ ip link add name t-dummy type dummy\n$ ip link add link t-dummy name t-dummy.100 type vlan id 100\n$ ip link add name t-nlmon type nlmon\n$ ip link set t-nlmon master team0\n$ ip link set t-nlmon nomaster\n$ ip link set t-dummy up\n$ ip link set team0 up\n$ ip link set t-dummy.100 down\n$ ip link set t-dummy.100 master team0\r\n\r\nWhen enslave a vlan device to team device and team device type is changed\nfrom non-ether to ether, header_ops of team device is changed to\nvlan_header_ops. That is incorrect and will trigger null-ptr-deref\nfor vlan->real_dev in vlan_dev_hard_header() because team device is not\na vlan device.\r\n\r\nCache eth_header_ops in team_setup(), then assign cached header_ops to\nheader_ops of team net device when its type is changed from non-ether\nto ether to fix the bug.(CVE-2023-52574)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2023-52607)\r\n\r\nA null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.(CVE-2023-7042)\r\n\r\nA race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24861)\r\n\r\ncreate_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.(CVE-2024-25739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\r\n\r\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\r\n\r\n- run nginx/wrk test:\n  smc_run nginx\n  smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>\r\n\r\n- continuously dump SMC-D connections in parallel:\n  watch -n 1 'smcss -D'\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE      6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n  <TASK>\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x66/0x150\n  ? exc_page_fault+0x69/0x140\n  ? asm_exc_page_fault+0x26/0x30\n  ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n  ? __kmalloc_node_track_caller+0x35d/0x430\n  ? __alloc_skb+0x77/0x170\n  smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n  smc_diag_dump+0x26/0x60 [smc_diag]\n  netlink_dump+0x19f/0x320\n  __netlink_dump_start+0x1dc/0x300\n  smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n  ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n  sock_diag_rcv_msg+0x121/0x140\n  ? __pfx_sock_diag_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x5a/0x110\n  sock_diag_rcv+0x28/0x40\n  netlink_unicast+0x22a/0x330\n  netlink_sendmsg+0x1f8/0x420\n  __sock_sendmsg+0xb0/0xc0\n  ____sys_sendmsg+0x24e/0x300\n  ? copy_msghdr_from_user+0x62/0x80\n  ___sys_sendmsg+0x7c/0xd0\n  ? __do_fault+0x34/0x160\n  ? do_read_fault+0x5f/0x100\n  ? do_fault+0xb0/0x110\n  ? __handle_mm_fault+0x2b0/0x6c0\n  __sys_sendmsg+0x4d/0x80\n  do_syscall_64+0x69/0x180\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn->rmb_desc. So fix it by checking before dump.(CVE-2024-26615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\r\n\r\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\r\n\r\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\r\n\r\n      (Thread 1)                 |      (Thread 2)\nsnd_aicapcm_pcm_close()          |\n ...                             |  run_spu_dma() //worker\n                                 |    mod_timer()\n  flush_work()                   |\n  del_timer()                    |  aica_period_elapsed() //timer\n  kfree(dreamcastcard->channel)  |    schedule_work()\n                                 |  run_spu_dma() //worker\n  ...                            |    dreamcastcard->channel-> //USE\r\n\r\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.(CVE-2024-26654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: Check the bearer type before calling tipc_udp_nl_bearer_add()\r\n\r\nsyzbot reported the following general protection fault [1]:\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]\n...\nRIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291\n...\nCall Trace:\n <TASK>\n tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646\n tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089\n genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972\n genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]\n genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n __sys_sendmsg+0x117/0x1e0 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nThe cause of this issue is that when tipc_nl_bearer_add() is called with\nthe TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called\neven if the bearer is not UDP.\r\n\r\ntipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that\nthe media_ptr field of the tipc_bearer has an udp_bearer type object, so\nthe function goes crazy for non-UDP bearers.\r\n\r\nThis patch fixes the issue by checking the bearer type before calling\ntipc_udp_nl_bearer_add() in tipc_nl_bearer_add().(CVE-2024-26663)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\r\n\r\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\r\n\r\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio.  Thus causing a deadlock.\r\n\r\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty.  Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed.  Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\r\n\r\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\r\n\r\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.(CVE-2024-26696)",
+    "cves": [
+      {
+        "id": "CVE-2024-26696",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1397": {
+    "id": "openEuler-SA-2021-1397",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1397",
+    "title": "An update for nodejs-minimist is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "This module is the guts of nodejs-optimist's argument parser without all the fanciful decoration.\r\n\r\nSecurity Fix(es):\r\n\r\nminimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.(CVE-2020-7598)",
+    "cves": [
+      {
+        "id": "CVE-2020-7598",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1944": {
+    "id": "openEuler-SA-2022-1944",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1944",
+    "title": "An update for python-pip is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        21.3.1 Release:        1 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:          BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch6000:      dummy-certifi.patch\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.(CVE-2021-33503)\r\n\r\nLib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.(CVE-2020-14422)",
+    "cves": [
+      {
+        "id": "CVE-2020-14422",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1328": {
+    "id": "openEuler-SA-2021-1328",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1328",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nIn librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.(CVE-2021-38604)",
+    "cves": [
+      {
+        "id": "CVE-2021-38604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1850": {
+    "id": "openEuler-SA-2023-1850",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1850",
+    "title": "An update for shadow is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Tools for managing accounts and shadow password files.\r\n\r\nSecurity Fix(es):\r\n\r\nshadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees(CVE-2013-4235)",
+    "cves": [
+      {
+        "id": "CVE-2013-4235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1693": {
+    "id": "openEuler-SA-2024-1693",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1693",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure tx skbs always have the MPTCP ext\r\n\r\nDue to signed/unsigned comparison, the expression:\r\n\r\n\tinfo->size_goal - skb->len > 0\r\n\r\nevaluates to true when the size goal is smaller than the\nskb size. That results in lack of tx cache refill, so that\nthe skb allocated by the core TCP code lacks the required\nMPTCP skb extensions.\r\n\r\nDue to the above, syzbot is able to trigger the following WARN_ON():\r\n\r\nWARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nModules linked in:\nCPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nCode: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 <0f> 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9\nRSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216\nRAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000\nRDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003\nRBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280\nR13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0\nFS:  00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547\n mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003\n release_sock+0xb4/0x1b0 net/core/sock.c:3206\n sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145\n mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749\n inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n sock_write_iter+0x2a0/0x3e0 net/socket.c:1057\n call_write_iter include/linux/fs.h:2163 [inline]\n new_sync_write+0x40b/0x640 fs/read_write.c:507\n vfs_write+0x7cf/0xae0 fs/read_write.c:594\n ksys_write+0x1ee/0x250 fs/read_write.c:647\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9\nRDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038\nR13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000\r\n\r\nFix the issue rewriting the relevant expression to avoid\nsign-related problems - note: size_goal is always >= 0.\r\n\r\nAdditionally, ensure that the skb in the tx cache always carries\nthe relevant extension.(CVE-2021-47370)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix even more out of bound writes from debugfs\r\n\r\nCVE-2021-42327 was fixed by:\r\n\r\ncommit f23750b5b3d98653b31d4469592935ef6364ad67\nAuthor: Thelford Williams <tdwilliamsiv@gmail.com>\nDate:   Wed Oct 13 16:04:13 2021 -0400\r\n\r\n    drm/amdgpu: fix out of bounds write\r\n\r\nbut amdgpu_dm_debugfs.c contains more of the same issue so fix the\nremaining ones.\r\n\r\nv2:\n\t* Add missing fix in dp_max_bpc_write (Harry Wentland)(CVE-2021-47489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: TX zerocopy should not sense pfmemalloc status\r\n\r\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\r\n\r\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\r\n\r\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\r\n\r\nNote to stable teams :\r\n\r\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\r\n\r\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\r\n\r\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\r\n\r\nBackporting to older kernel versions seems not necessary.\r\n\r\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\r\n\r\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022(CVE-2022-48689)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring/af_unix: disable sending io_uring over sockets\r\n\r\nFile reference cycles have caused lots of problems for io_uring\nin the past, and it still doesn't work exactly right and races with\nunix_stream_read_generic(). The safest fix would be to completely\ndisallow sending io_uring files via sockets via SCM_RIGHT, so there\nare no possible cycles invloving registered files and thus rendering\nSCM accounting on the io_uring side unnecessary.(CVE-2023-52654)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: aqc111: check packet for fixup for true limit\r\n\r\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\r\n\r\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\r\n\r\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.(CVE-2023-52655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: s390/aes - Fix buffer overread in CTR mode\r\n\r\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left.  Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.(CVE-2023-52669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsysv: don't call sb_bread() with pointers_lock held\r\n\r\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\r\n\r\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\r\n\r\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\r\n\r\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).(CVE-2023-52699)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\r\n\r\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\r\n\r\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\r\n\r\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/(CVE-2023-52703)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: sdio: fix possible resource leaks in some error paths\r\n\r\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\r\n\r\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\r\n\r\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\r\n\r\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\r\n\r\nunreferenced object 0xffff888112514000 (size 2048):\n  comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n  hex dump (first 32 bytes):\n    00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff  ..o.....`X......\n    10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff  .@Q......@Q.....\n  backtrace:\n    [<000000009e5931da>] kmalloc_trace+0x21/0x110\n    [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n    [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n    [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n    [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\r\n\r\nunreferenced object 0xffff888112511000 (size 2048):\n  comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n  hex dump (first 32 bytes):\n    00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff  .@Q......X......\n    10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff  ..Q.......Q.....\n  backtrace:\n    [<000000009e5931da>] kmalloc_trace+0x21/0x110\n    [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n    [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n    [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core](CVE-2023-52730)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself\r\n\r\nsock_map proto callbacks should never call themselves by design. Protect\nagainst bugs like [1] and break out of the recursive loop to avoid a stack\noverflow in favor of a resource leak.\r\n\r\n[1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/(CVE-2023-52735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: hda: Do not unset preset when cleaning up codec\r\n\r\nSeveral functions that take part in codec's initialization and removal\nare re-used by ASoC codec drivers implementations. Drivers mimic the\nbehavior of hda_codec_driver_probe/remove() found in\nsound/pci/hda/hda_bind.c with their component->probe/remove() instead.\r\n\r\nOne of the reasons for that is the expectation of\nsnd_hda_codec_device_new() to receive a valid pointer to an instance of\nstruct snd_card. This expectation can be met only once sound card\ncomponents probing commences.\r\n\r\nAs ASoC sound card may be unbound without codec device being actually\nremoved from the system, unsetting ->preset in\nsnd_hda_codec_cleanup_for_unbind() interferes with module unload -> load\nscenario causing null-ptr-deref. Preset is assigned only once, during\ndevice/driver matching whereas ASoC codec driver's module reloading may\noccur several times throughout the lifetime of an audio stack.(CVE-2023-52736)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\r\n\r\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\r\n\r\nThis went unnoticed until commit:\r\n\r\n  34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\r\n\r\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\r\n\r\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\r\n\r\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n|  dump_backtrace+0xec/0x108\n|  show_stack+0x18/0x2c\n|  dump_stack_lvl+0x50/0x68\n|  dump_stack+0x18/0x24\n|  panic+0x13c/0x340\n|  el1t_64_irq_handler+0x0/0x1c\n|  el1_abort+0x0/0x5c\n|  el1h_64_sync+0x64/0x68\n|  __pi_strcmp+0x1c/0x150\n|  unflatten_dt_nodes+0x1e8/0x2d8\n|  __unflatten_device_tree+0x5c/0x15c\n|  unflatten_device_tree+0x38/0x50\n|  setup_arch+0x164/0x1e0\n|  start_kernel+0x64/0x38c\n|  __primary_switched+0xbc/0xc4\r\n\r\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.(CVE-2023-52750)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\r\n\r\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\r\n\r\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\r\n\r\n  [ 816.251274] general protection fault, probably for non-canonical\n  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n  ...\n  [  816.260138] Call Trace:\n  [  816.260329]  <TASK>\n  [  816.260499]  ? die_addr+0x36/0x90\n  [  816.260762]  ? exc_general_protection+0x1b3/0x410\n  [  816.261126]  ? asm_exc_general_protection+0x26/0x30\n  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]\n  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]\n  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n  [  816.262689]  ? seq_read_iter+0x379/0x470\n  [  816.262995]  seq_read_iter+0x118/0x470\n  [  816.263291]  proc_reg_read_iter+0x53/0x90\n  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f\n  [  816.263945]  vfs_read+0x201/0x350\n  [  816.264211]  ksys_read+0x75/0x100\n  [  816.264472]  do_syscall_64+0x3f/0x90\n  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n  [  816.265135] RIP: 0033:0x7fd5e669d381(CVE-2023-52752)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: ignore negated quota changes\r\n\r\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\r\n\r\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\r\n\r\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\r\n\r\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\r\n\r\ngfs2_quota_change\n   do_qc\n      qd_hold\n      slot_hold\r\n\r\nLater, when the changes are to be synced:\r\n\r\ngfs2_quota_sync\n   qd_fish\n      qd_check_sync\n         gets qd ref via lockref_get_not_dead\n   do_sync\n      do_qc(QC_SYNC)\n         qd_put\n\t    lockref_put_or_lock\n   qd_unlock\n      qd_put\n         lockref_put_or_lock\r\n\r\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.(CVE-2023-52759)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: protect device queue against concurrent access\r\n\r\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\r\n\r\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.(CVE-2023-52774)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: vcc: Add check for kstrdup() in vcc_probe()\r\n\r\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.(CVE-2023-52789)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvhost-vdpa: fix use after free in vhost_vdpa_probe()\r\n\r\nThe put_device() calls vhost_vdpa_release_dev() which calls\nida_simple_remove() and frees \"v\".  So this call to\nida_simple_remove() is a use after free and a double free.(CVE-2023-52795)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe()\r\n\r\nof_match_device() may fail and returns a NULL pointer.\r\n\r\nIn practice there is no known reasonable way to trigger this, but\nin case one is added in future, harden the code by adding the check(CVE-2023-52802)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add validity check for db_maxag and db_agpref\r\n\r\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\r\n\r\nThe following is related bug reported by Syzbot:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\r\n\r\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.(CVE-2023-52804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diAlloc\r\n\r\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.(CVE-2023-52805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs\r\n\r\nIf init debugfs failed during device registration due to memory allocation\nfailure, debugfs_remove_recursive() is called, after which debugfs_dir is\nnot set to NULL. debugfs_remove_recursive() will be called again during\ndevice removal. As a result, illegal pointer is accessed.\r\n\r\n[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!\n...\n[ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 1669.872669] pc : down_write+0x24/0x70\n[ 1669.876315] lr : down_write+0x1c/0x70\n[ 1669.879961] sp : ffff000036f53a30\n[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8\n[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000\n[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270\n[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8\n[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310\n[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10\n[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000\n[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870\n[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228\n[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0\n[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10\n[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff\n[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00\n[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000\n[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001\n[ 1669.962563] Call trace:\n[ 1669.965000]  down_write+0x24/0x70\n[ 1669.968301]  debugfs_remove_recursive+0x5c/0x1b0\n[ 1669.972905]  hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]\n[ 1669.978541]  hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]\n[ 1669.984175]  pci_device_remove+0x48/0xd8\n[ 1669.988082]  device_release_driver_internal+0x1b4/0x250\n[ 1669.993282]  device_release_driver+0x28/0x38\n[ 1669.997534]  pci_stop_bus_device+0x84/0xb8\n[ 1670.001611]  pci_stop_and_remove_bus_device_locked+0x24/0x40\n[ 1670.007244]  remove_store+0xfc/0x140\n[ 1670.010802]  dev_attr_store+0x44/0x60\n[ 1670.014448]  sysfs_kf_write+0x58/0x80\n[ 1670.018095]  kernfs_fop_write+0xe8/0x1f0\n[ 1670.022000]  __vfs_write+0x60/0x190\n[ 1670.025472]  vfs_write+0xac/0x1c0\n[ 1670.028771]  ksys_write+0x6c/0xd8\n[ 1670.032071]  __arm64_sys_write+0x24/0x30\n[ 1670.035977]  el0_svc_common+0x78/0x130\n[ 1670.039710]  el0_svc_handler+0x38/0x78\n[ 1670.043442]  el0_svc+0x8/0xc\r\n\r\nTo fix this, set debugfs_dir to NULL after debugfs_remove_recursive().(CVE-2023-52808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Fix potential null pointer derefernce\r\n\r\nThe amdgpu_ras_get_context may return NULL if device\nnot support ras feature, so add check before using.(CVE-2023-52814)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52818)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\r\n\r\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2023-52826)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\r\n\r\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\r\n\r\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G        WC OE\n Call Trace:\n  dump_stack+0x74/0x92\n  ubsan_epilogue+0x9/0x50\n  handle_overflow+0x8d/0xd0\n  __ubsan_handle_mul_overflow+0xe/0x10\n  nl80211_send_iface+0x688/0x6b0 [cfg80211]\n  [...]\n  cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n  cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n  [...]\n  ieee80211_if_add+0x60e/0x8f0 [mac80211]\n  ieee80211_register_hw+0xda5/0x1170 [mac80211]\r\n\r\nIn this case, simply return an error instead, to indicate\nthat no data is available.(CVE-2023-52832)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nlocking/ww_mutex/test: Fix potential workqueue corruption\r\n\r\nIn some cases running with the test-ww_mutex code, I was seeing\nodd behavior where sometimes it seemed flush_workqueue was\nreturning before all the work threads were finished.\r\n\r\nOften this would cause strange crashes as the mutexes would be\nfreed while they were being used.\r\n\r\nLooking at the code, there is a lifetime problem as the\ncontrolling thread that spawns the work allocates the\n\"struct stress\" structures that are passed to the workqueue\nthreads. Then when the workqueue threads are finished,\nthey free the stress struct that was passed to them.\r\n\r\nUnfortunately the workqueue work_struct node is in the stress\nstruct. Which means the work_struct is freed before the work\nthread returns and while flush_workqueue is waiting.\r\n\r\nIt seems like a better idea to have the controlling thread\nboth allocate and free the stress structures, so that we can\nbe sure we don't corrupt the workqueue by freeing the structure\nprematurely.\r\n\r\nSo this patch reworks the test to do so, and with this change\nI no longer see the early flush_workqueue returns.(CVE-2023-52836)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\r\n\r\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\r\n\r\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.(CVE-2023-52845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52858)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf: hisi: Fix use-after-free when register pmu fails\r\n\r\nWhen we fail to register the uncore pmu, the pmu context may not been\nallocated. The error handing will call cpuhp_state_remove_instance()\nto call uncore pmu offline callback, which migrate the pmu context.\nSince that's liable to lead to some kind of use-after-free.\r\n\r\nUse cpuhp_state_remove_instance_nocalls() instead of\ncpuhp_state_remove_instance() so that the notifiers don't execute after\nthe PMU device has been failed to register.(CVE-2023-52859)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nplatform/x86: wmi: Fix opening of char device\r\n\r\nSince commit fa1f68db6ca7 (\"drivers: misc: pass miscdevice pointer via\nfile private data\"), the miscdevice stores a pointer to itself inside\nfilp->private_data, which means that private_data will not be NULL when\nwmi_char_open() is called. This might cause memory corruption should\nwmi_char_open() be unable to find its driver, something which can\nhappen when the associated WMI device is deleted in wmi_free_devices().\r\n\r\nFix the problem by using the miscdevice pointer to retrieve the WMI\ndevice data associated with a char device using container_of(). This\nalso avoids wmi_char_open() picking a wrong WMI device bound to a\ndriver with the same name as the original driver.(CVE-2023-52864)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsoc: qcom: llcc: Handle a second device without data corruption\r\n\r\nUsually there is only one llcc device. But if there were a second, even\na failed probe call would modify the global drv_data pointer. So check\nif drv_data is valid before overwriting it.(CVE-2023-52871)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\r\n\r\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.(CVE-2023-52878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix memory leak in dm_sw_fini()\r\n\r\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\r\n\r\nunreferenced object 0xffff896302b45800 (size 1024):\n  comm \"(udev-worker)\", pid 222, jiffies 4294894636\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 6265fd77):\n    [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340\n    [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n    [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu]\n    [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n    [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n    [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n    [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90\n    [<ffffffff996918a3>] pci_device_probe+0xc3/0x230\n    [<ffffffff99805872>] really_probe+0xe2/0x480\n    [<ffffffff99805c98>] __driver_probe_device+0x78/0x160\n    [<ffffffff99805daf>] driver_probe_device+0x1f/0x90\n    [<ffffffff9980601e>] __driver_attach+0xce/0x1c0\n    [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0\n    [<ffffffff99804822>] bus_add_driver+0x112/0x210\n    [<ffffffff99807245>] driver_register+0x55/0x100\n    [<ffffffff990012d1>] do_one_initcall+0x41/0x300\r\n\r\nFix this by freeing dmub_srv after destroying it.(CVE-2024-26833)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: xilinx - call finalize with bh disabled\r\n\r\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\r\n\r\n    ------------[ cut here ]------------\n    WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n    Modules linked in: cryptodev(O)\n    CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G           O       6.8.0-rc1-yocto-standard #323\n    Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n    pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : crypto_finalize_request+0xa0/0x118\n    lr : crypto_finalize_request+0x104/0x118\n    sp : ffffffc085353ce0\n    x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n    x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n    x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n    x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n    x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n    x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n    x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n    x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n    x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n    x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n    Call trace:\n     crypto_finalize_request+0xa0/0x118\n     crypto_finalize_aead_request+0x18/0x30\n     zynqmp_handle_aes_req+0xcc/0x388\n     crypto_pump_work+0x168/0x2d8\n     kthread_worker_fn+0xfc/0x3a0\n     kthread+0x118/0x138\n     ret_from_fork+0x10/0x20\n    irq event stamp: 40\n    hardirqs last  enabled at (39): [<ffffffc0812416f8>] _raw_spin_unlock_irqrestore+0x70/0xb0\n    hardirqs last disabled at (40): [<ffffffc08122d208>] el1_dbg+0x28/0x90\n    softirqs last  enabled at (36): [<ffffffc080017dec>] kernel_neon_begin+0x8c/0xf0\n    softirqs last disabled at (34): [<ffffffc080017dc0>] kernel_neon_begin+0x60/0xf0\n    ---[ end trace 0000000000000000 ]---(CVE-2024-26877)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: core: Fix deadlock in usb_deauthorize_interface()\r\n\r\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\r\n\r\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected.  As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete.  But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\r\n\r\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\r\n\r\nReported-and-tested by: Yue Sun <samsun1006219@gmail.com>\nReported by: xingwei lee <xrivendell7@gmail.com>(CVE-2024-26934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\r\n\r\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.(CVE-2024-27020)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\r\n\r\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.(CVE-2024-27401)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi/capsule-loader: fix incorrect allocation size\r\n\r\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\r\n\r\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n  295 |         cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n      |                        ^\r\n\r\nUse the correct type instead here.(CVE-2024-27413)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: udc: remove warning when queue disabled ep\r\n\r\nIt is possible trigger below warning message from mass storage function,\r\n\r\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\r\n\r\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\r\n\r\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().(CVE-2024-35822)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvt: fix unicode buffer corruption when deleting characters\r\n\r\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.(CVE-2024-35823)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\r\n\r\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()(CVE-2024-35840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/mm/pat: fix VM_PAT handling in COW mappings\r\n\r\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios.  Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\r\n\r\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\r\n\r\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\r\n\r\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\r\n\r\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode.  We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\r\n\r\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\r\n\r\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\r\n\r\n<--- C reproducer --->\n #include <stdio.h>\n #include <sys/mman.h>\n #include <unistd.h>\n #include <liburing.h>\r\n\r\n int main(void)\n {\n         struct io_uring_params p = {};\n         int ring_fd;\n         size_t size;\n         char *map;\r\n\r\n         ring_fd = io_uring_setup(1, &p);\n         if (ring_fd < 0) {\n                 perror(\"io_uring_setup\");\n                 return 1;\n         }\n         size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\r\n\r\n         /* Map the submission queue ring MAP_PRIVATE */\n         map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n                    ring_fd, IORING_OFF_SQ_RING);\n         if (map == MAP_FAILED) {\n                 perror(\"mmap\");\n                 return 1;\n         }\r\n\r\n         /* We have at least one page. Let's COW it. */\n         *map = 0;\n         pause();\n         return 0;\n }\n<--- C reproducer --->\r\n\r\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[  301.552930] ------------[ cut here ]------------\n[  301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[  301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[  301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[  301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[  301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[  301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[  301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[  301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[  301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[  301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[  301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[  301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[  301.564186] FS:  0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[  301.564773] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[  301.565725] PKRU: 55555554\n[  301.565944] Call Trace:\n[  301.566148]  <TASK>\n[  301.566325]  ? untrack_pfn+0xf4/0x100\n[  301.566618]  ? __warn+0x81/0x130\n[  301.566876]  ? untrack_pfn+0xf4/0x100\n[  3\n---truncated---(CVE-2024-35877)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-direct: Leak pages on dma_set_decrypted() failure\r\n\r\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\r\n\r\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.(CVE-2024-35939)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\r\n\r\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.(CVE-2024-35950)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\r\n\r\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\r\n\r\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\r\n\r\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\r\n\r\n1. any failure before record_root_in_trans is called successfully\n   results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n   transaction owns freeing the reservation.\r\n\r\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.(CVE-2024-35956)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ena: Fix incorrect descriptor free behavior\r\n\r\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n  or XDP_TX instructions\r\n\r\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\r\n\r\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.(CVE-2024-35958)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Properly link new fs rules into the tree\r\n\r\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\r\n\r\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n   again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\r\n\r\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\r\n\r\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.(CVE-2024-35960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix memory leak in hci_req_sync_complete()\r\n\r\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.(CVE-2024-35978)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: smbus: fix NULL function pointer dereference\r\n\r\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\r\n\r\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions](CVE-2024-35984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: CPPC: Use access_width over bit_width for system memory accesses\r\n\r\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\r\n\r\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n  dump_backtrace+0x0/0x1e0\n  show_stack+0x24/0x30\n  dump_stack_lvl+0x8c/0xb8\n  dump_stack+0x18/0x34\n  panic+0x16c/0x384\n  add_taint+0x0/0xc0\n  arm64_serror_panic+0x7c/0x90\n  arm64_is_fatal_ras_serror+0x34/0xa4\n  do_serror+0x50/0x6c\n  el1h_64_error_handler+0x40/0x74\n  el1h_64_error+0x7c/0x80\n  cppc_get_perf_caps+0xec/0x410\n  cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n  cpufreq_online+0x2dc/0xa30\n  cpufreq_add_dev+0xc0/0xd4\n  subsys_interface_register+0x134/0x14c\n  cpufreq_register_driver+0x1b0/0x354\n  cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n  do_one_initcall+0x50/0x250\n  do_init_module+0x60/0x27c\n  load_module+0x2300/0x2570\n  __do_sys_finit_module+0xa8/0x114\n  __arm64_sys_finit_module+0x2c/0x3c\n  invoke_syscall+0x78/0x100\n  el0_svc_common.constprop.0+0x180/0x1a0\n  do_el0_svc+0x84/0xa0\n  el0_svc+0x2c/0xc0\n  el0t_64_sync_handler+0xa4/0x12c\n  el0t_64_sync+0x1a4/0x1a8\r\n\r\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\r\n\r\nIf access_width is not set, then fall back to using bit_width.\r\n\r\n[ rjw: Subject and changelog edits, comment adjustments ](CVE-2024-35995)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\r\n\r\nThere is a recent report on UFFDIO_COPY over hugetlb:\r\n\r\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\r\n\r\n350:\tlockdep_assert_held(&hugetlb_lock);\r\n\r\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether.  Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.(CVE-2024-36000)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppdev: Add an error check in register_device\r\n\r\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\r\n\r\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.(CVE-2024-36015)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: core: delete incorrect free in pinctrl_enable()\r\n\r\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\r\n\r\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.(CVE-2024-36940)",
+    "cves": [
+      {
+        "id": "CVE-2023-52730",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52730",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2023-52735",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52735",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2023-52795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52795",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2024-36940",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1906": {
+    "id": "openEuler-SA-2023-1906",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1906",
+    "title": "An update for netty is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Asynchronous event-driven network application Java framework.\r\n\r\nSecurity Fix(es):\r\n\r\nNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881)",
+    "cves": [
+      {
+        "id": "CVE-2022-41881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1259": {
+    "id": "openEuler-SA-2021-1259",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1259",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThe REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.(CVE-2021-28965)",
+    "cves": [
+      {
+        "id": "CVE-2021-28965",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28965",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1659": {
+    "id": "openEuler-SA-2022-1659",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1659",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nThis security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors.(CVE-2022-22576)\n\nWhen asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This \"same host check\" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols.(CVE-2022-27774)\n\nThis issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another.(CVE-2022-27775)\n\nThis security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data.(CVE-2022-27776)",
+    "cves": [
+      {
+        "id": "CVE-2022-27776",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27776",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1163": {
+    "id": "openEuler-SA-2023-1163",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1163",
+    "title": "An update for snakeyaml is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "SnakeYAML is a YAML parser and emitter for the Java Virtual Machine. YAML is a data serialization format designed for human readability and interaction with scripting languages.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751)\r\n\r\nUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752)\r\n\r\nThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854)",
+    "cves": [
+      {
+        "id": "CVE-2022-41854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2017": {
+    "id": "openEuler-SA-2022-2017",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2017",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.(CVE-2020-26140)\r\n\r\nAn issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.(CVE-2020-26143)",
+    "cves": [
+      {
+        "id": "CVE-2020-26143",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26143",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1028": {
+    "id": "openEuler-SA-2024-1028",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1028",
+    "title": "An update for mosquitto is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n(CVE-2023-3592)",
+    "cves": [
+      {
+        "id": "CVE-2023-3592",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3592",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1368": {
+    "id": "openEuler-SA-2021-1368",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1368",
+    "title": "An update for linuxptp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Linuxptp is an implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3570)",
+    "cves": [
+      {
+        "id": "CVE-2021-3570",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3570",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1514": {
+    "id": "openEuler-SA-2024-1514",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1514",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nVP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.(CVE-2023-44488)",
+    "cves": [
+      {
+        "id": "CVE-2023-44488",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44488",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1466": {
+    "id": "openEuler-SA-2023-1466",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1466",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)",
+    "cves": [
+      {
+        "id": "CVE-2023-3446",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1459": {
+    "id": "openEuler-SA-2021-1459",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1459",
+    "title": "An update for bind is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Domain Name System (DNS) Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.(CVE-2021-25219)",
+    "cves": [
+      {
+        "id": "CVE-2021-25219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25219",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1078": {
+    "id": "openEuler-SA-2021-1078",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1078",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "X.Org X11 X server.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-x11-server before 1.20.10. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25712)\r\n\r\nA flaw was found in the way xserver memory was not properly initialized. This could leak parts of server memory to the X client. In cases where Xorg server runs with elevated privileges, this could result in possible ASLR bypass. Xorg-server before version 1.20.9 is vulnerable.(CVE-2020-14347)",
+    "cves": [
+      {
+        "id": "CVE-2020-14347",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14347",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1161": {
+    "id": "openEuler-SA-2023-1161",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1161",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.(CVE-2023-27522)\r\n\r\nSome mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule \"^/here/(.*)\" \"http://example.com:8080/elsewhere?$1\"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.(CVE-2023-25690)",
+    "cves": [
+      {
+        "id": "CVE-2023-25690",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25690",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1575": {
+    "id": "openEuler-SA-2024-1575",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1575",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nCertain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26971)\r\n\r\nPorts that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29946)",
+    "cves": [
+      {
+        "id": "CVE-2021-29946",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29946",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1650": {
+    "id": "openEuler-SA-2022-1650",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1650",
+    "title": "An update for xz is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils. The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30% smaller output than gzip and 15% smaller output than bzip2.\r\n\r\nSecurity Fix(es):\r\n\r\nThe vulnerability exists due to insufficient validation when handling filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system. The vulnerability allows a remote attacker to compromise an affected system.(CVE-2022-1271)",
+    "cves": [
+      {
+        "id": "CVE-2022-1271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1006": {
+    "id": "openEuler-SA-2021-1006",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1006",
+    "title": "An update for memcached is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Memcached is a high-performance, distributed memory object caching system, generic in nature, but originally intended for use in speeding up dynamic web applications by alleviating database load. You can think of it as a short-term memory for your applications.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nmemcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.(CVE-2019-15026)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-15026",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15026",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1572": {
+    "id": "openEuler-SA-2024-1572",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1572",
+    "title": "An update for sssd is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.(CVE-2023-3758)",
+    "cves": [
+      {
+        "id": "CVE-2023-3758",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3758",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1412": {
+    "id": "openEuler-SA-2023-1412",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1412",
+    "title": "An update for guava is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more! It is widely used on most Java projects within Google, and widely used by many other companies as well.\n\nSecurity Fix(es):\n\nUse of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n(CVE-2023-2976)",
+    "cves": [
+      {
+        "id": "CVE-2023-2976",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2103": {
+    "id": "openEuler-SA-2022-2103",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2103",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2022-3628: kernel: USB-accessible buffer overflow in Linux kernel driver brcmfmac(CVE-2022-3628)",
+    "cves": [
+      {
+        "id": "CVE-2022-3628",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3628",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1595": {
+    "id": "openEuler-SA-2022-1595",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1595",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.(CVE-2022-0204)",
+    "cves": [
+      {
+        "id": "CVE-2022-0204",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0204",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1114": {
+    "id": "openEuler-SA-2024-1114",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1114",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343)\r\n\r\nIn the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042)\r\n\r\nA use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.(CVE-2023-6531)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.(CVE-2024-22705)\r\n\r\nIn rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849)",
+    "cves": [
+      {
+        "id": "CVE-2024-23849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23849",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1465": {
+    "id": "openEuler-SA-2023-1465",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1465",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960)\r\n\r\nIn doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.(CVE-2021-46143)\r\n\r\nlookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22825)\r\n\r\nnextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22826)\r\n\r\nstoreAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22827)",
+    "cves": [
+      {
+        "id": "CVE-2022-22827",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1636": {
+    "id": "openEuler-SA-2022-1636",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1636",
+    "title": "An update for nekohtml is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "NekoHTML is a simple HTML scanner and tag balancer that enables application programmers to parse HTML documents and access the information using standard XML interfaces.\n\r\nSecurity Fix(es):\norg.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.(CVE-2022-24839)",
+    "cves": [
+      {
+        "id": "CVE-2022-24839",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24839",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1033": {
+    "id": "openEuler-SA-2024-1033",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1033",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nopeneuler-linux-kernel-5.10.149-ext4_write_inline_data-kernel_bug-365020(CVE-2021-33631)\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nThe function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free.\r\n\r\nWe recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a.\r\n\r\n(CVE-2023-6817)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\r\n\r\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\r\n\r\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\r\n\r\n(CVE-2023-6931)\r\n\r\nA use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\r\n\r\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\r\n\r\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.\r\n\r\n(CVE-2023-6932)",
+    "cves": [
+      {
+        "id": "CVE-2023-6932",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1352": {
+    "id": "openEuler-SA-2024-1352",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1352",
+    "title": "An update for util-linux is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "The util-linux package contains a random collection of files that implements some low-level basic linux utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nwall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.(CVE-2024-28085)",
+    "cves": [
+      {
+        "id": "CVE-2024-28085",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2016": {
+    "id": "openEuler-SA-2022-2016",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2016",
+    "title": "An update for hadoop is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Apache Hadoop is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.(CVE-2021-33036)",
+    "cves": [
+      {
+        "id": "CVE-2021-33036",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33036",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2093": {
+    "id": "openEuler-SA-2022-2093",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2093",
+    "title": "An update for rubygem-websocket-extensions is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Generic extension manager for WebSocket connections.\r\n\r\nSecurity Fix(es):\r\n\r\nwebsocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.(CVE-2020-7663)",
+    "cves": [
+      {
+        "id": "CVE-2020-7663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7663",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1804": {
+    "id": "openEuler-SA-2024-1804",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1804",
+    "title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nadts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.(CVE-2021-38171)\r\n\r\nAn issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.(CVE-2022-3109)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the set_encoder_id function in /fftools/ffmpeg_enc.c component.(CVE-2023-50010)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.(CVE-2023-51793)\r\n\r\nBuffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate.(CVE-2023-51798)",
+    "cves": [
+      {
+        "id": "CVE-2023-51798",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51798",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1088": {
+    "id": "openEuler-SA-2021-1088",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1088",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates  The MySQL software has Dual Licensing, which means you can use the MySQL software free of charge under the GNU General Public License (http://www.gnu.org/licenses/). You can also purchase commercial MySQL licenses from Oracle and/or its affiliates if you do not wish to be bound by the terms of the GPL. \r\n\r\nSecurity Fix(es):\r\n\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.017 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.(CVE-2019-2991)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-2966)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-2963)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-2998)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-3004)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-2957)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-2968)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-3018)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection). Supported versions that are affected are 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-3009)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data.(CVE-2021-2019)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: C API). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2019-3011)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2009)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2030)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2055)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2028)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2016)\n\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 8.0.19 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client.(CVE-2021-2006)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.50 and prior, 5.7.30 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2001)\n\nVulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Client accessible data.(CVE-2021-2007)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server.(CVE-2021-1998)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.(CVE-2021-2012)\n\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data.(CVE-2021-2042)",
+    "cves": [
+      {
+        "id": "CVE-2021-2042",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2042",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1571": {
+    "id": "openEuler-SA-2024-1571",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1571",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nl2tp: pass correct message length to ip6_append_data\r\n\r\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\r\n\r\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\r\n\r\nHowever, the code which performed the calculation was incorrect:\r\n\r\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\r\n\r\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\r\n\r\nAdd parentheses to correct the calculation in line with the original\nintent.(CVE-2024-26752)",
+    "cves": [
+      {
+        "id": "CVE-2024-26752",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1152": {
+    "id": "openEuler-SA-2021-1152",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1152",
+    "title": "An update for gnome-shell is now available for and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The GNOME Shell redefines user interactions with the GNOME desktop. In particular, it offers new paradigms for launching applications, accessing documents, and organizing open windows in GNOME. Later, it will introduce a new applets eco-system and offer new solutions for other desktop features, such as notifications and contacts management. The GNOME Shell is intended to replace functions handled by the GNOME Panel and by the window manager in previous versions of GNOME. The GNOME Shell has rich visual effects enabled by new graphical technologies.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)(CVE-2020-17489)",
+    "cves": [
+      {
+        "id": "CVE-2020-17489",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17489",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1872": {
+    "id": "openEuler-SA-2023-1872",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1872",
+    "title": "An update for gdb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.(CVE-2023-39130)",
+    "cves": [
+      {
+        "id": "CVE-2023-39130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1401": {
+    "id": "openEuler-SA-2024-1401",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1401",
+    "title": "An update for nodejs-qs is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.\r\n\r\nSecurity Fix(es):\r\n\r\nqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).(CVE-2022-24999)",
+    "cves": [
+      {
+        "id": "CVE-2022-24999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1822": {
+    "id": "openEuler-SA-2023-1822",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1822",
+    "title": "An update for skopeo is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A command line utility that performs various operations on container images and image repositories\r\n\r\nSecurity Fix(es):\r\n\r\nHTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534)",
+    "cves": [
+      {
+        "id": "CVE-2023-24534",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1825": {
+    "id": "openEuler-SA-2024-1825",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1825",
+    "title": "An update for krb5 is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\r\n\r\nSecurity Fix(es):\r\n\r\nIn MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.(CVE-2024-37370)\r\n\r\nIn MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.(CVE-2024-37371)",
+    "cves": [
+      {
+        "id": "CVE-2024-37371",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371",
+        "severity": "None"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1704": {
+    "id": "openEuler-SA-2023-1704",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1704",
+    "title": "An update for cups is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n(CVE-2023-4504)",
+    "cves": [
+      {
+        "id": "CVE-2023-4504",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1037": {
+    "id": "openEuler-SA-2024-1037",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1037",
+    "title": "An update for jersey is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Jersey is the open source JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. %if\r\n\r\nSecurity Fix(es):\r\n\r\nEclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.(CVE-2021-28168)",
+    "cves": [
+      {
+        "id": "CVE-2021-28168",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1516": {
+    "id": "openEuler-SA-2022-1516",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1516",
+    "title": "An update for freetds is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "FreeTDS is an open source implementation of the TDS (Tabular Data Stream) protocol used by these databases for their own clients. It supports many different flavors of the protocol and three APIs to access it. FreeTDS includes call level interfaces for DB-Lib, CT-Lib, and ODBC.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeTDS through 1.1.11 has a Buffer Overflow.(CVE-2019-13508)",
+    "cves": [
+      {
+        "id": "CVE-2019-13508",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13508",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1260": {
+    "id": "openEuler-SA-2024-1260",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1260",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151)",
+    "cves": [
+      {
+        "id": "CVE-2024-1151",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1316": {
+    "id": "openEuler-SA-2021-1316",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1316",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.(CVE-2021-3682)",
+    "cves": [
+      {
+        "id": "CVE-2021-3682",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3682",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1215": {
+    "id": "openEuler-SA-2023-1215",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1215",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.(CVE-2023-1582)\r\n\r\nA use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea(CVE-2023-1611)\r\n\r\nA flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.(CVE-2021-3923)\r\n\r\nA flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.(CVE-2023-1637)\r\n\r\nA flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.(CVE-2023-1670)\r\n\r\nA use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.(CVE-2023-1838)\r\n\r\nA use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.(CVE-2023-1855)\r\n\r\nA use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak.(CVE-2023-1859)",
+    "cves": [
+      {
+        "id": "CVE-2023-1859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1859",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1966": {
+    "id": "openEuler-SA-2023-1966",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1966",
+    "title": "An update for jettison is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nAn infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\r\n\r\n(CVE-2023-1436)",
+    "cves": [
+      {
+        "id": "CVE-2023-1436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1538": {
+    "id": "openEuler-SA-2024-1538",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1538",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 6 through 6.6 was discovered to contain a NULL pointer dereference via the function QXcbConnection::initializeAllAtoms(). NOTE: this is disputed because it is not expected that an X application should continue to run when there is arbitrary anomalous behavior from the X server.(CVE-2023-45935)\r\n\r\nAn issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.(CVE-2024-25580)",
+    "cves": [
+      {
+        "id": "CVE-2023-45935",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45935",
+        "severity": "Low"
+      },
+      {
+        "id": "CVE-2024-25580",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25580",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1429": {
+    "id": "openEuler-SA-2024-1429",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1429",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666)",
+    "cves": [
+      {
+        "id": "CVE-2023-0666",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2140": {
+    "id": "openEuler-SA-2022-2140",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2140",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "%global desc \\ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\\ do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. \\ %global extdesc \\\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.(CVE-2019-10241)",
+    "cves": [
+      {
+        "id": "CVE-2019-10241",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1491": {
+    "id": "openEuler-SA-2023-1491",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1491",
+    "title": "An update for scipy is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "SciPy (pronounced \"Sigh Pie\") is open-source software for mathematics, science, and engineering. It includes modules for statistics, optimization, integration, linear algebra, Fourier transforms, signal and image processing, ODE solvers, and more.\r\n\r\nSecurity Fix(es):\r\n\r\nA refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function.(CVE-2023-25399)",
+    "cves": [
+      {
+        "id": "CVE-2023-25399",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25399",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1997": {
+    "id": "openEuler-SA-2023-1997",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1997",
+    "title": "An update for mybatis is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools. To use the MyBatis data mapper, you rely on your own objects, XML, and SQL. There is little to learn that you don't already know. With the MyBatis data mapper, you have the full power of both SQL and stored procedures at your fingertips. The MyBatis project is developed and maintained by a team that includes the original creators of the \"iBATIS\" data mapper. The Apache project was retired and continued here.\r\n\r\nSecurity Fix(es):\r\n\r\nA SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.(CVE-2023-25330)",
+    "cves": [
+      {
+        "id": "CVE-2023-25330",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25330",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2104": {
+    "id": "openEuler-SA-2022-2104",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2104",
+    "title": "An update for libpq is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.(CVE-2022-1552)",
+    "cves": [
+      {
+        "id": "CVE-2022-1552",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1552",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2019": {
+    "id": "openEuler-SA-2022-2019",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2019",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nlibexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.(CVE-2022-40674)",
+    "cves": [
+      {
+        "id": "CVE-2022-40674",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1732": {
+    "id": "openEuler-SA-2024-1732",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1732",
+    "title": "An update for microcode_ctl is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nProtection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-22655)\r\n\r\nInformation exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2023-28746)\r\n\r\nNon-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2023-38575)\r\n\r\nProtection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.(CVE-2023-39368)\r\n\r\nIncorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.(CVE-2023-43490)\r\n\r\nHardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.(CVE-2023-45733)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-45745)\r\n\r\nSequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-46103)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-47855)",
+    "cves": [
+      {
+        "id": "CVE-2023-47855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47855",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1752": {
+    "id": "openEuler-SA-2024-1752",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1752",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nEDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.(CVE-2024-1298)",
+    "cves": [
+      {
+        "id": "CVE-2024-1298",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1298",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1105": {
+    "id": "openEuler-SA-2021-1105",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1105",
+    "title": "An update for git is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks False`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.(CVE-2021-21300)",
+    "cves": [
+      {
+        "id": "CVE-2021-21300",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21300",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1653": {
+    "id": "openEuler-SA-2022-1653",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1653",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\r\n\r\nSecurity Fix(es):\r\n\nIn Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).(CVE-2015-20107)",
+    "cves": [
+      {
+        "id": "CVE-2015-20107",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1813": {
+    "id": "openEuler-SA-2024-1813",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1813",
+    "title": "An update for poppler is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\ Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\ the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.(CVE-2024-6239)",
+    "cves": [
+      {
+        "id": "CVE-2024-6239",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6239",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1524": {
+    "id": "openEuler-SA-2023-1524",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1524",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. QEMU has two operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including one or several processors and various peripherals. It can be used to launch different Operating Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging. You can refer to https://www.qemu.org for more infortmation.\n\nSecurity Fix(es):\n\nA flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.(CVE-2023-3180)\n\nThe async nature of the hot-unplug enables an easy to reproduce race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged (or the ACPI unplug has been acked by the guest?). The guest can use this time window to, at least, trigger an assertion.(CVE-2023-3301)",
+    "cves": [
+      {
+        "id": "CVE-2023-3301",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3301",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1005": {
+    "id": "openEuler-SA-2023-1005",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1005",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and shut down the code path in its transfer.(CVE-2022-43552)",
+    "cves": [
+      {
+        "id": "CVE-2022-43552",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1339": {
+    "id": "openEuler-SA-2024-1339",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1339",
+    "title": "An update for LibRaw is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.(CVE-2021-32142)",
+    "cves": [
+      {
+        "id": "CVE-2021-32142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1816": {
+    "id": "openEuler-SA-2022-1816",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1816",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es): \r\n\nA flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.(CVE-2022-32746)\n\nA flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).(CVE-2022-32742)\n\nA flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users passwords, enabling full domain takeover.(CVE-2022-32744)\n\nAs per samba upstream advisory:All versions of Samba prior to 4.16.x built with Heimdal Kerberos are vulnerable to an Elevation of Privilege attack. If the password of a user expires and need to be changed, a user could get a krbtgt using kpasswd with canonicalization turned on. The KDC should only provide a ticket for kadmin/changepw but returns a krbtgt. So a user could skip the password change and just use the krbtgt to get service tickets and use services in the forest.(CVE-2022-2031)",
+    "cves": [
+      {
+        "id": "CVE-2022-2031",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2031",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1107": {
+    "id": "openEuler-SA-2024-1107",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1107",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nGeneration of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\r\n\r\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.\r\n\r\n(CVE-2024-21733)",
+    "cves": [
+      {
+        "id": "CVE-2024-21733",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21733",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1427": {
+    "id": "openEuler-SA-2021-1427",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1427",
+    "title": "An update for virglrenderer is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The virgil3d rendering library is a library used by qemu to implement 3D GPU support for the virtio GPU.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read in the vrend_blit_need_swizzle function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_BLIT commands.(CVE-2019-18390)\r\n\r\nA NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via malformed commands.(CVE-2019-18388)\r\n\r\nA heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.(CVE-2019-18391)\r\n\r\nA heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.(CVE-2019-18389)",
+    "cves": [
+      {
+        "id": "CVE-2019-18389",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18389",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1557": {
+    "id": "openEuler-SA-2022-1557",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1557",
+    "title": "An update for cyrus-sasl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "The  package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.(CVE-2022-24407)",
+    "cves": [
+      {
+        "id": "CVE-2022-24407",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24407",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1083": {
+    "id": "openEuler-SA-2023-1083",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1083",
+    "title": "An update for harfbuzz is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "HarfBuzz is a text-shaping engine. If you give HarfBuzz a font and a string containing a sequence of Unicode codepoints, HarfBuzz selects and positions the corresponding glyphs from the font, applying all of the necessary layout rules and font features. HarfBuzz then returns the string to you in the form that is correctly arranged for the language and writing system.\r\n\r\nSecurity Fix(es):\r\n\r\nhb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.(CVE-2023-25193)",
+    "cves": [
+      {
+        "id": "CVE-2023-25193",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25193",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1789": {
+    "id": "openEuler-SA-2022-1789",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1789",
+    "title": "An update for protobuf-c is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format.\r\n\r\nSecurity Fix(es):\r\n\r\nProtobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.(CVE-2022-33070)",
+    "cves": [
+      {
+        "id": "CVE-2022-33070",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33070",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1410": {
+    "id": "openEuler-SA-2024-1410",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1410",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nstb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.(CVE-2023-45675)",
+    "cves": [
+      {
+        "id": "CVE-2023-45675",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45675",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1375": {
+    "id": "openEuler-SA-2024-1375",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1375",
+    "title": "An update for mod_security is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279)",
+    "cves": [
+      {
+        "id": "CVE-2022-48279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1620": {
+    "id": "openEuler-SA-2023-1620",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1620",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.(CVE-2022-31630)\r\n\r\nA flaw was found in PHP. This issue occurs due to an uncaught integer overflow in PDO::quote() of PDO_SQLite returning an improperly quoted string. With the implementation of sqlite3_snprintf(), it is possible to force the function to return a single apostrophe if the function is called on user-supplied input without any length restrictions in place.(CVE-2022-31631)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.(CVE-2023-0567)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. (CVE-2023-0568)\r\n\r\nIn PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. (CVE-2023-0662)\r\n\r\nIn PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \r\n\r\n(CVE-2023-3247)\r\n\r\nIn PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \r\n\r\n(CVE-2023-3823)\r\n\r\nIn PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \r\n\r\n(CVE-2023-3824)",
+    "cves": [
+      {
+        "id": "CVE-2023-3824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3824",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1948": {
+    "id": "openEuler-SA-2023-1948",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1948",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nBluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.(CVE-2023-45866)",
+    "cves": [
+      {
+        "id": "CVE-2023-45866",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45866",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1688": {
+    "id": "openEuler-SA-2024-1688",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1688",
+    "title": "An update for runc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.(CVE-2024-3154)",
+    "cves": [
+      {
+        "id": "CVE-2024-3154",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3154",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1471": {
+    "id": "openEuler-SA-2023-1471",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1471",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21255)\r\n\r\n(CVE-2023-2163)\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32248)\r\n\r\nVUL-0: CVE-2023-32255: kernel: Linux Kernel ksmbd Session Setup Memory Leak Denial-of-Service Vulnerability(CVE-2023-32255)\r\n\r\nA use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information.(CVE-2023-3567)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\r\n\r\n(CVE-2023-3609)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nFlaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.\r\n\r\nWe recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.\r\n\r\n(CVE-2023-3610)\r\n\r\nAn out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\r\n\r\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\r\n\r\n(CVE-2023-3611)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\r\n\r\n(CVE-2023-3776)\r\n\r\nAn out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2023-3812)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.(CVE-2023-38426)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.(CVE-2023-38428)",
+    "cves": [
+      {
+        "id": "CVE-2023-38428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1939": {
+    "id": "openEuler-SA-2023-1939",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1939",
+    "title": "An update for fish is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "fish is a fully-equipped command line shell (like bash or zsh) that is smart and user-friendly. fish supports powerful features like syntax highlighting, autosuggestions, and tab completions that just work, with nothing to learn or configure.\r\n\r\nSecurity Fix(es):\r\n\r\nfish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \\UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49284)",
+    "cves": [
+      {
+        "id": "CVE-2023-49284",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49284",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1736": {
+    "id": "openEuler-SA-2023-1736",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1736",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.(CVE-2023-3354)",
+    "cves": [
+      {
+        "id": "CVE-2023-3354",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3354",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2156": {
+    "id": "openEuler-SA-2022-2156",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2156",
+    "title": "An update for ceph is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\r\n\r\nA privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to root in the form of a crash dump, and dump privileged information. This issue can lead to a denial of service, loss of confidentiality, integrity, and availability.(CVE-2022-3650)",
+    "cves": [
+      {
+        "id": "CVE-2022-3650",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3650",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1329": {
+    "id": "openEuler-SA-2023-1329",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1329",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.(CVE-2023-1667)\r\n\r\nA vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.(CVE-2023-2283)",
+    "cves": [
+      {
+        "id": "CVE-2023-2283",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2283",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1385": {
+    "id": "openEuler-SA-2021-1385",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1385",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nAn improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.(CVE-2021-3667)\r\n\r\nA flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.(CVE-2021-3631)",
+    "cves": [
+      {
+        "id": "CVE-2021-3631",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3631",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1228": {
+    "id": "openEuler-SA-2024-1228",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1228",
+    "title": "An update for fontforge is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "FontForge (former PfaEdit) is a font editor for outline and bitmap fonts. It supports a range of font formats, including PostScript (ASCII and binary Type 1, some Type 3 and Type 0), TrueType, OpenType (Type2) and CID-keyed fonts.\r\n\r\nSecurity Fix(es):\r\n\r\nSplinefont in FontForge through 20230101 allows command injection via crafted filenames.(CVE-2024-25081)\r\n\r\nSplinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.(CVE-2024-25082)",
+    "cves": [
+      {
+        "id": "CVE-2024-25082",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25082",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1880": {
+    "id": "openEuler-SA-2023-1880",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1880",
+    "title": "An update for qt is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.(CVE-2023-38197)\r\n\r\nAn issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.(CVE-2023-43114)",
+    "cves": [
+      {
+        "id": "CVE-2023-43114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1834": {
+    "id": "openEuler-SA-2022-1834",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1834",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nCVE-2022-2320/ZDI-CAN-16070: xorg-x11-server: out-of-bounds write in ProcXkbSetDeviceInfo request handler of the Xkb extension\r\n\r\nIntroduced In:\nhttps://github.com/freedesktop/xorg-xserver/commit/c06e27b2f6fd9f7b9f827623a48876a225264132\r\n\r\nFixed In:\nhttps://github.com/freedesktop/xorg-xserver/commit/dd8caf39e9e15d8f302e54045dd08d8ebf1025dc(CVE-2022-2320)\r\n\r\nCVE-2022-2319/ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds Access\nhttps://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/938\nhttps://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/939(CVE-2022-2319)",
+    "cves": [
+      {
+        "id": "CVE-2022-2319",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2319",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1754": {
+    "id": "openEuler-SA-2023-1754",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1754",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module \"acl_xattr\" is configured with \"acl_xattr:ignore system acls = yes\". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.(CVE-2023-4091)\r\n\r\nA vulnerability was found in Samba's \"rpcecho\" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the \"rpcecho\" service operates with only one worker in the main RPC task, allowing calls to the \"rpcecho\" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a \"sleep()\" call in the \"dcesrv_echo_TestSleep()\" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the \"rpcecho\" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as \"rpcecho\" runs in the main RPC task.(CVE-2023-42669)",
+    "cves": [
+      {
+        "id": "CVE-2023-42669",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42669",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1316": {
+    "id": "openEuler-SA-2024-1316",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1316",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36764)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45230)\r\n\r\n EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45232)\r\n\r\n EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45233)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when\r\n\r\n\r\n\r\n\r\n\r\nhandling Server ID option \r\n\r\n\r\n\r\n from a DHCPv6 proxy Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45235)",
+    "cves": [
+      {
+        "id": "CVE-2023-45235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1819": {
+    "id": "openEuler-SA-2023-1819",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1819",
+    "title": "An update for GraphicsMagick is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.(CVE-2020-21679)",
+    "cves": [
+      {
+        "id": "CVE-2020-21679",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21679",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1837": {
+    "id": "openEuler-SA-2023-1837",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1837",
+    "title": "An update for stb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Single-file public domain libraries for C/C++.\r\n\r\nSecurity Fix(es):\r\n\r\nNothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.(CVE-2023-43898)",
+    "cves": [
+      {
+        "id": "CVE-2023-43898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43898",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1896": {
+    "id": "openEuler-SA-2023-1896",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1896",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.(CVE-2023-1544)",
+    "cves": [
+      {
+        "id": "CVE-2023-1544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1544",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1210": {
+    "id": "openEuler-SA-2021-1210",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1210",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.\nGit is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nCygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.(CVE-2021-29468)",
+    "cves": [
+      {
+        "id": "CVE-2021-29468",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29468",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2082": {
+    "id": "openEuler-SA-2022-2082",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2082",
+    "title": "An update for libxml2 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nvalid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.(CVE-2022-23308)\r\n\r\nA flaw was found in libxml2. Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow because safety checks were missing in some functions. Also, the xmlParseEntityValue function didn't have any length limitation.(CVE-2022-40303)\r\n\r\nA flaw was found in libxml2. When a reference cycle is detected in the XML entity cleanup function the XML entity data can be stored in a dictionary. In this case, the dictionary becomes corrupted resulting in logic errors, including memory errors like double free.(CVE-2022-40304)",
+    "cves": [
+      {
+        "id": "CVE-2022-40304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1372": {
+    "id": "openEuler-SA-2024-1372",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1372",
+    "title": "An update for unixODBC is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The unixODBC Project goals are to develop and promote unixODBC to be the definitive standard for ODBC on non MS Windows platforms. This is to include GUI support for both KDE and GNOME.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.(CVE-2024-1013)",
+    "cves": [
+      {
+        "id": "CVE-2024-1013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1056": {
+    "id": "openEuler-SA-2024-1056",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1056",
+    "title": "An update for bluez is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-50230: bluez: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability(CVE-2023-50230)",
+    "cves": [
+      {
+        "id": "CVE-2023-50230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50230",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1218": {
+    "id": "openEuler-SA-2024-1218",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1218",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Critical",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.\n(CVE-2023-5841)",
+    "cves": [
+      {
+        "id": "CVE-2023-5841",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1797": {
+    "id": "openEuler-SA-2022-1797",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1797",
+    "title": "An update for golang is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nCalling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.(CVE-2022-30630)",
+    "cves": [
+      {
+        "id": "CVE-2022-30630",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1429": {
+    "id": "openEuler-SA-2023-1429",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1429",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. \n\nSecurity Fix(es):\n\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)",
+    "cves": [
+      {
+        "id": "CVE-2022-4304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1160": {
+    "id": "openEuler-SA-2023-1160",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1160",
+    "title": "An update for sudo is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nSudo before 1.9.13p2 has a double free in the per-command chroot feature.(CVE-2023-27320)",
+    "cves": [
+      {
+        "id": "CVE-2023-27320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27320",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1123": {
+    "id": "openEuler-SA-2023-1123",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1123",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\ncurl supports \"chained\" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a \"malloc bomb\", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.(CVE-2023-23916)",
+    "cves": [
+      {
+        "id": "CVE-2023-23916",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23916",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1881": {
+    "id": "openEuler-SA-2022-1881",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1881",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.(CVE-2022-1729)\n\nA use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.(CVE-2022-2586)\n\nDm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5(CVE-2022-2503)\n\nAn out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.(CVE-2022-1462)",
+    "cves": [
+      {
+        "id": "CVE-2022-1462",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1462",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1324": {
+    "id": "openEuler-SA-2023-1324",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1324",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-22998)",
+    "cves": [
+      {
+        "id": "CVE-2023-22998",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22998",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1341": {
+    "id": "openEuler-SA-2024-1341",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1341",
+    "title": "An update for libreswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.  The resulting tunnel is a virtual private network or VPN.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.(CVE-2024-2357)",
+    "cves": [
+      {
+        "id": "CVE-2024-2357",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2357",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1602": {
+    "id": "openEuler-SA-2023-1602",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1602",
+    "title": "An update for openjdk-latest is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)",
+    "cves": [
+      {
+        "id": "CVE-2023-22045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22045",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1068": {
+    "id": "openEuler-SA-2023-1068",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1068",
+    "title": "An update for bind is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nSending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.(CVE-2022-3094)\r\n\r\nBIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.(CVE-2022-3736)\r\n\r\nThis issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.(CVE-2022-3924)",
+    "cves": [
+      {
+        "id": "CVE-2022-3924",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3924",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1155": {
+    "id": "openEuler-SA-2024-1155",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1155",
+    "title": "An update for zbar is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "ZBar is an open source software suite for reading bar codes from various sources, such as video streams, image files and raw intensity sensors. It supports many popular symbologies (types of bar codes) including EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 39, Interleaved 2 of 5 and QR Code.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40889)\r\n\r\nA stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.(CVE-2023-40890)",
+    "cves": [
+      {
+        "id": "CVE-2023-40890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40890",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1454": {
+    "id": "openEuler-SA-2021-1454",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1454",
+    "title": "An update for redis6 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32687)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32628)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-41099)\r\n\r\nRedis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.(CVE-2021-32675)\r\n\r\nRedis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32762)\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32627)",
+    "cves": [
+      {
+        "id": "CVE-2021-32627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32627",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1827": {
+    "id": "openEuler-SA-2024-1827",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1827",
+    "title": "An update for vte291 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
+    "cves": [
+      {
+        "id": "CVE-2024-37535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1468": {
+    "id": "openEuler-SA-2023-1468",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1468",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21255)\r\n\r\n(CVE-2023-2163)\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.(CVE-2023-32248)\r\n\r\nVUL-0: CVE-2023-32255: kernel: Linux Kernel ksmbd Session Setup Memory Leak Denial-of-Service Vulnerability(CVE-2023-32255)\r\n\r\nA use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information.(CVE-2023-3567)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.\r\n\r\n(CVE-2023-3609)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nFlaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.\r\n\r\nWe recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.\r\n\r\n(CVE-2023-3610)\r\n\r\nAn out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nThe qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.\r\n\r\nWe recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.\r\n\r\n(CVE-2023-3611)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.\r\n\r\nIf tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.\r\n\r\nWe recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.\r\n\r\n(CVE-2023-3776)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context's name_len is larger than the tag length.(CVE-2023-38426)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.(CVE-2023-38428)",
+    "cves": [
+      {
+        "id": "CVE-2023-38428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38428",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1817": {
+    "id": "openEuler-SA-2022-1817",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1817",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es): \r\n\nA flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.(CVE-2022-32746)\n\nA flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).(CVE-2022-32742)\n\nA flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users passwords, enabling full domain takeover.(CVE-2022-32744)\n\nAs per samba upstream advisory:All versions of Samba prior to 4.16.x built with Heimdal Kerberos are vulnerable to an Elevation of Privilege attack. If the password of a user expires and need to be changed, a user could get a krbtgt using kpasswd with canonicalization turned on. The KDC should only provide a ticket for kadmin/changepw but returns a krbtgt. So a user could skip the password change and just use the krbtgt to get service tickets and use services in the forest.(CVE-2022-2031)",
+    "cves": [
+      {
+        "id": "CVE-2022-2031",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2031",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1142": {
+    "id": "openEuler-SA-2024-1142",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1142",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.(CVE-2023-51043)\r\n\r\nA use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.(CVE-2023-6531)\r\n\r\nA Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return.(CVE-2023-6915)",
+    "cves": [
+      {
+        "id": "CVE-2023-6915",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6915",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1555": {
+    "id": "openEuler-SA-2024-1555",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1555",
+    "title": "An update for python-tqdm is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "tqdm derives from the Arabic word taqaddum which can mean \"progress\". Instantly  make your loops show a smart progress meter - just wrap any iterable with  tqdm(interable), and you are done!\r\n\r\nSecurity Fix(es):\r\n\r\ntqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-34062)",
+    "cves": [
+      {
+        "id": "CVE-2024-34062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34062",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1547": {
+    "id": "openEuler-SA-2022-1547",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1547",
+    "title": "An update for mysql-connector-java is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "MySQL Connector/J is a native Java driver that converts JDBC (Java Database Connectivity) calls into the network protocol used by the MySQL database. It lets developers working with the Java programming language easily build programs and applets that interact with MySQL and connect all corporate data, even in a heterogeneous environment. MySQL Connector/J is a Type IV JDBC driver and has a complete JDBC feature set that supports the capabilities of MySQL.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2019-2692)",
+    "cves": [
+      {
+        "id": "CVE-2019-2692",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2692",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2033": {
+    "id": "openEuler-SA-2022-2033",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2033",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238177383References: Upstream kernel(CVE-2022-20409)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.(CVE-2022-3524)\r\n\r\nA vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032.(CVE-2022-3534)\r\n\r\nA vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability.(CVE-2022-3545)\r\n\r\nA vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.(CVE-2022-3564)\r\n\r\nA vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.(CVE-2022-3565)\r\n\r\nA vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.(CVE-2022-3566)\r\n\r\nA vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.(CVE-2022-3567)\r\n\r\nA vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.(CVE-2022-3594)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.(CVE-2022-3649)\n\nIn the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices.(CVE-2022-42722)\n\nA vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211018 is the identifier assigned to this vulnerability.(CVE-2022-3521)\n\nA flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.(CVE-2022-3586)\n\nVUL-0: CVE-2022-2602: kernel: defer registered files gc to io_uring release(CVE-2022-2602)\n\nA vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932.(CVE-2022-3633)\n\nAn out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. This flaw allows a local user to crash or potentially escalate their privileges on the system. It is in bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect assumption - bigben devices all have inputs. However, malicious devices can break this assumption, leaking to out-of-bound write.(CVE-2022-3577)",
+    "cves": [
+      {
+        "id": "CVE-2022-3577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3577",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1773": {
+    "id": "openEuler-SA-2022-1773",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1773",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nIncomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2020-24489)\n\nDomain-bypass transient execution vulnerability in some Intel Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-24513)\n\nHardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.(CVE-2021-0146)",
+    "cves": [
+      {
+        "id": "CVE-2021-0146",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0146",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1564": {
+    "id": "openEuler-SA-2024-1564",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1564",
+    "title": "An update for sos is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Sos is an extensible, portable, support data collection tool primarily aimed at Linux distributions and other UNIX-like operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was found that the ovirt-log-collector/sosreport collects the RHV admin password unfiltered. Fixed in: sos-4.2-20.el8_6, ovirt-log-collector-4.4.7-2.el8ev(CVE-2022-2806)",
+    "cves": [
+      {
+        "id": "CVE-2022-2806",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2806",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1487": {
+    "id": "openEuler-SA-2024-1487",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1487",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nuio_hv_generic: Fix another memory leak in error handling paths\r\n\r\nMemory allocated by 'vmbus_alloc_ring()' at the beginning of the probe\nfunction is never freed in the error handling path.\r\n\r\nAdd the missing 'vmbus_free_ring()' call.\r\n\r\nNote that it is already freed in the .remove function.(CVE-2021-47070)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nasix: fix uninit-value in asix_mdio_read()\r\n\r\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\r\n\r\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497(CVE-2021-47101)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nEDAC/thunderx: Fix possible out-of-bounds string access\r\n\r\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\r\n\r\n  drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':\n  drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);\n        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n   ...\n   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\n   ...\n   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);\r\n\r\n   ...\r\n\r\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\r\n\r\nChange it to strlcat().\r\n\r\n  [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: powermate - fix use-after-free in powermate_config_complete\r\n\r\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\r\n\r\nUse usb_kill_urb() on pm->config to cancel any in-progress requests upon\ndevice disconnection.\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command\r\n\r\nTags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed\nwhen we receive the response.(CVE-2023-52500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: assert requested protocol is valid\r\n\r\nThe protocol is used in a bit mask to determine if the protocol is\nsupported. Assert the provided protocol is less than the maximum\ndefined so it doesn't potentially perform a shift-out-of-bounds and\nprovide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\r\n\r\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv->clk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv->clk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\r\n\r\nFix this by removing the first clk_unregister(). Also, priv->clk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srp: Do not call scsi_done() from srp_abort()\r\n\r\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned.(CVE-2023-52515)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock\r\n\r\n__dma_entry_alloc_check_leak() calls into printk -> serial console\noutput (qcom geni) and grabs port->lock under free_entries_lock\nspin lock, which is a reverse locking dependency chain as qcom_geni\nIRQ handler can call into dma-debug code and grab free_entries_lock\nunder port->lock.\r\n\r\nMove __dma_entry_alloc_check_leak() call out of free_entries_lock\nscope so that we don't acquire serial console's port->lock under it.\r\n\r\nTrimmed-down lockdep splat:\r\n\r\n The existing dependency chain (in reverse order) is:\r\n\r\n               -> #2 (free_entries_lock){-.-.}-{2:2}:\n        _raw_spin_lock_irqsave+0x60/0x80\n        dma_entry_alloc+0x38/0x110\n        debug_dma_map_page+0x60/0xf8\n        dma_map_page_attrs+0x1e0/0x230\n        dma_map_single_attrs.constprop.0+0x6c/0xc8\n        geni_se_rx_dma_prep+0x40/0xcc\n        qcom_geni_serial_isr+0x310/0x510\n        __handle_irq_event_percpu+0x110/0x244\n        handle_irq_event_percpu+0x20/0x54\n        handle_irq_event+0x50/0x88\n        handle_fasteoi_irq+0xa4/0xcc\n        handle_irq_desc+0x28/0x40\n        generic_handle_domain_irq+0x24/0x30\n        gic_handle_irq+0xc4/0x148\n        do_interrupt_handler+0xa4/0xb0\n        el1_interrupt+0x34/0x64\n        el1h_64_irq_handler+0x18/0x24\n        el1h_64_irq+0x64/0x68\n        arch_local_irq_enable+0x4/0x8\n        ____do_softirq+0x18/0x24\n        ...\r\n\r\n               -> #1 (&port_lock_key){-.-.}-{2:2}:\n        _raw_spin_lock_irqsave+0x60/0x80\n        qcom_geni_serial_console_write+0x184/0x1dc\n        console_flush_all+0x344/0x454\n        console_unlock+0x94/0xf0\n        vprintk_emit+0x238/0x24c\n        vprintk_default+0x3c/0x48\n        vprintk+0xb4/0xbc\n        _printk+0x68/0x90\n        register_console+0x230/0x38c\n        uart_add_one_port+0x338/0x494\n        qcom_geni_serial_probe+0x390/0x424\n        platform_probe+0x70/0xc0\n        really_probe+0x148/0x280\n        __driver_probe_device+0xfc/0x114\n        driver_probe_device+0x44/0x100\n        __device_attach_driver+0x64/0xdc\n        bus_for_each_drv+0xb0/0xd8\n        __device_attach+0xe4/0x140\n        device_initial_probe+0x1c/0x28\n        bus_probe_device+0x44/0xb0\n        device_add+0x538/0x668\n        of_device_add+0x44/0x50\n        of_platform_device_create_pdata+0x94/0xc8\n        of_platform_bus_create+0x270/0x304\n        of_platform_populate+0xac/0xc4\n        devm_of_platform_populate+0x60/0xac\n        geni_se_probe+0x154/0x160\n        platform_probe+0x70/0xc0\n        ...\r\n\r\n               -> #0 (console_owner){-...}-{0:0}:\n        __lock_acquire+0xdf8/0x109c\n        lock_acquire+0x234/0x284\n        console_flush_all+0x330/0x454\n        console_unlock+0x94/0xf0\n        vprintk_emit+0x238/0x24c\n        vprintk_default+0x3c/0x48\n        vprintk+0xb4/0xbc\n        _printk+0x68/0x90\n        dma_entry_alloc+0xb4/0x110\n        debug_dma_map_sg+0xdc/0x2f8\n        __dma_map_sg_attrs+0xac/0xe4\n        dma_map_sgtable+0x30/0x4c\n        get_pages+0x1d4/0x1e4 [msm]\n        msm_gem_pin_pages_locked+0x38/0xac [msm]\n        msm_gem_pin_vma_locked+0x58/0x88 [msm]\n        msm_ioctl_gem_submit+0xde4/0x13ac [msm]\n        drm_ioctl_kernel+0xe0/0x15c\n        drm_ioctl+0x2e8/0x3f4\n        vfs_ioctl+0x30/0x50\n        ...\r\n\r\n Chain exists of:\n   console_owner --> &port_lock_key --> free_entries_lock\r\n\r\n  Possible unsafe locking scenario:\r\n\r\n        CPU0                    CPU1\n        ----                    ----\n   lock(free_entries_lock);\n                                lock(&port_lock_key);\n                                lock(free_entries_lock);\n   lock(console_owner);\r\n\r\n                *** DEADLOCK ***\r\n\r\n Call trace:\n  dump_backtrace+0xb4/0xf0\n  show_stack+0x20/0x30\n  dump_stack_lvl+0x60/0x84\n  dump_stack+0x18/0x24\n  print_circular_bug+0x1cc/0x234\n  check_noncircular+0x78/0xac\n  __lock_acquire+0xdf8/0x109c\n  lock_acquire+0x234/0x284\n  console_flush_all+0x330/0x454\n  consol\n---truncated---(CVE-2023-52516)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix possible store tearing in neigh_periodic_work()\r\n\r\nWhile looking at a related syzbot report involving neigh_periodic_work(),\nI found that I forgot to add an annotation when deleting an\nRCU protected item from a list.\r\n\r\nReaders use rcu_deference(*np), we need to use either\nrcu_assign_pointer() or WRITE_ONCE() on writer side\nto prevent store tearing.\r\n\r\nI use rcu_assign_pointer() to have lockdep support,\nthis was the choice made in neigh_flush_dev().(CVE-2023-52522)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: fix potential key use-after-free\r\n\r\nWhen ieee80211_key_link() is called by ieee80211_gtk_rekey_add()\nbut returns 0 due to KRACK protection (identical key reinstall),\nieee80211_gtk_rekey_add() will still return a pointer into the\nkey, in a potential use-after-free. This normally doesn't happen\nsince it's only called by iwlwifi in case of WoWLAN rekey offload\nwhich has its own KRACK protection, but still better to fix, do\nthat by returning an error code and converting that to success on\nthe cfg80211 boundary only, leaving the error for bad callers of\nieee80211_gtk_rekey_add().(CVE-2023-52530)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\r\n\r\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\r\n\r\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed.  And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\r\n\r\nSo use damon_destroy_target to free all the damon_regions and damon_target.\r\n\r\n    unreferenced object 0xffff888107c9a940 (size 64):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff  `...............\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079cc740 (size 56):\n      comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff888107c9ac40 (size 64):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b  ............kkkk\n        a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff  ........x.v.....\n      backtrace:\n        [<ffffffff817e0167>] kmalloc_trace+0x27/0xa0\n        [<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0\n        [<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffffffff81003791>] ret_from_fork_asm+0x11/0x20\n    unreferenced object 0xffff8881079ccc80 (size 56):\n      comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n      hex dump (first 32 bytes):\n        05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00  ................\n        6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b  kkkkkkkk....kkkk\n      backtrace:\n        [<ffffffff819bc492>] damon_new_region+0x22/0x1c0\n        [<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n        [<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260\n        [<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90\n        [<ffffffff81237cf6>] kthread+0x2b6/0x380\n        [<ffffffff81097add>] ret_from_fork+0x2d/0x70\n        [<ffff\n---truncated---(CVE-2023-52560)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved\r\n\r\nAdding a reserved memory region for the framebuffer memory\n(the splash memory region set up by the bootloader).\r\n\r\nIt fixes a kernel panic (arm-smmu: Unhandled context fault\nat this particular memory region) reported on DB845c running\nv5.10.y.(CVE-2023-52561)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\r\n\r\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh->b_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\r\n\r\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\r\n\r\n[konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/sgx: Resolves SECS reclaim vs. page fault for EAUG race\r\n\r\nThe SGX EPC reclaimer (ksgxd) may reclaim the SECS EPC page for an\nenclave and set secs.epc_page to NULL. The SECS page is used for EAUG\nand ELDU in the SGX page fault handler. However, the NULL check for\nsecs.epc_page is only done for ELDU, not EAUG before being used.\r\n\r\nFix this by doing the same NULL check and reloading of the SECS page as\nneeded for both EAUG and ELDU.\r\n\r\nThe SECS page holds global enclave metadata. It can only be reclaimed\nwhen there are no other enclave pages remaining. At that point,\nvirtually nothing can be done with the enclave until the SECS page is\npaged back in.\r\n\r\nAn enclave can not run nor generate page faults without a resident SECS\npage. But it is still possible for a #PF for a non-SECS page to race\nwith paging out the SECS page: when the last resident non-SECS page A\ntriggers a #PF in a non-resident page B, and then page A and the SECS\nboth are paged out before the #PF on B is handled.\r\n\r\nHitting this bug requires that race triggered with a #PF for EAUG.\nFollowing is a trace when it happens.\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:sgx_encl_eaug_page+0xc7/0x210\nCall Trace:\n ? __kmem_cache_alloc_node+0x16a/0x440\n ? xa_load+0x6e/0xa0\n sgx_vma_fault+0x119/0x230\n __do_fault+0x36/0x140\n do_fault+0x12f/0x400\n __handle_mm_fault+0x728/0x1110\n handle_mm_fault+0x105/0x310\n do_user_addr_fault+0x1ee/0x750\n ? __this_cpu_preempt_check+0x13/0x20\n exc_page_fault+0x76/0x180\n asm_exc_page_fault+0x27/0x30(CVE-2023-52568)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: rds: Fix possible NULL-pointer dereference\r\n\r\nIn rds_rdma_cm_event_handler_cmn() check, if conn pointer exists\nbefore dereferencing it as rdma_set_service_type() argument\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52573)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: use DEV_STATS_INC()\r\n\r\nsyzbot/KCSAN reported data-races in br_handle_frame_finish() [1]\nThis function can run from multiple cpus without mutual exclusion.\r\n\r\nAdopt SMP safe DEV_STATS_INC() to update dev->stats fields.\r\n\r\nHandles updates to dev->stats.tx_dropped while we are at it.\r\n\r\n[1]\nBUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\nrun_ksoftirqd+0x17/0x20 kernel/softirq.c:921\nsmpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nread-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:\nbr_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189\nbr_nf_hook_thresh+0x1ed/0x220\nbr_nf_pre_routing_finish_ipv6+0x50f/0x540\nNF_HOOK include/linux/netfilter.h:304 [inline]\nbr_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178\nbr_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508\nnf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]\nnf_hook_bridge_pre net/bridge/br_input.c:272 [inline]\nbr_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417\n__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417\n__netif_receive_skb_one_core net/core/dev.c:5521 [inline]\n__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637\nprocess_backlog+0x21f/0x380 net/core/dev.c:5965\n__napi_poll+0x60/0x3b0 net/core/dev.c:6527\nnapi_poll net/core/dev.c:6594 [inline]\nnet_rx_action+0x32b/0x750 net/core/dev.c:6727\n__do_softirq+0xc1/0x265 kernel/softirq.c:553\ndo_softirq+0x5e/0x90 kernel/softirq.c:454\n__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\nspin_unlock_bh include/linux/spinlock.h:396 [inline]\nbatadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356\nbatadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560\nprocess_one_work kernel/workqueue.c:2630 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703\nworker_thread+0x525/0x730 kernel/workqueue.c:2784\nkthread+0x1d7/0x210 kernel/kthread.c:388\nret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\r\n\r\nvalue changed: 0x00000000000d7190 -> 0x00000000000d7191\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: fix deadlock or deadcode of misusing dget()\r\n\r\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\r\n\r\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.(CVE-2023-52583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/ipoib: Fix mcast list locking\r\n\r\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\r\n\r\n    Task A (kworker/u72:2 below)       | Task B (kworker/u72:0 below)\n    -----------------------------------+-----------------------------------\n    ipoib_mcast_join_task(work)        | ipoib_ib_dev_flush_light(work)\n      spin_lock_irq(&priv->lock)       | __ipoib_ib_dev_flush(priv, ...)\n      list_for_each_entry(mcast,       | ipoib_mcast_dev_flush(dev = priv->dev)\n          &priv->multicast_list, list) |\n        ipoib_mcast_join(dev, mcast)   |\n          spin_unlock_irq(&priv->lock) |\n                                       |   spin_lock_irqsave(&priv->lock, flags)\n                                       |   list_for_each_entry_safe(mcast, tmcast,\n                                       |                  &priv->multicast_list, list)\n                                       |     list_del(&mcast->list);\n                                       |     list_add_tail(&mcast->list, &remove_list)\n                                       |   spin_unlock_irqrestore(&priv->lock, flags)\n          spin_lock_irq(&priv->lock)   |\n                                       |   ipoib_mcast_remove_list(&remove_list)\n   (Here, `mcast` is no longer on the  |     list_for_each_entry_safe(mcast, tmcast,\n    `priv->multicast_list` and we keep |                            remove_list, list)\n    spinning on the `remove_list` of   |  >>>  wait_for_completion(&mcast->done)\n    the other thread which is blocked  |\n    and the list is still valid on     |\n    it's stack.)\r\n\r\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\r\n\r\ncrash> bc 31\nPID: 747      TASK: ff1c6a1a007e8000  CPU: 31   COMMAND: \"kworker/u72:2\"\n--\n    [exception RIP: ipoib_mcast_join_task+0x1b1]\n    RIP: ffffffffc0944ac1  RSP: ff646f199a8c7e00  RFLAGS: 00000002\n    RAX: 0000000000000000  RBX: ff1c6a1a04dc82f8  RCX: 0000000000000000\n                                  work (&priv->mcast_task{,.work})\n    RDX: ff1c6a192d60ac68  RSI: 0000000000000286  RDI: ff1c6a1a04dc8000\n           &mcast->list\n    RBP: ff646f199a8c7e90   R8: ff1c699980019420   R9: ff1c6a1920c9a000\n    R10: ff646f199a8c7e00  R11: ff1c6a191a7d9800  R12: ff1c6a192d60ac00\n                                                         mcast\n    R13: ff1c6a1d82200000  R14: ff1c6a1a04dc8000  R15: ff1c6a1a04dc82d8\n           dev                    priv (&priv->lock)     &priv->multicast_list (aka head)\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n--- <NMI exception stack> ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\r\n\r\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68:  ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\r\n\r\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\r\n\r\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n  mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>,\n  mcast_mutex.owner.counter = 0xff1c69998efec000\r\n\r\ncrash> b 8\nPID: 8        TASK: ff1c69998efec000  CPU: 33   COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---(CVE-2023-52587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\r\n\r\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\r\n\r\nFound by a modified version of syzkaller.\r\n\r\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt(CVE-2023-52594)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: rt2x00: restart beacon queue when hardware reset\r\n\r\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().(CVE-2023-52595)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: fix setting of fpc register\r\n\r\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\r\n\r\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\r\n\r\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\r\n\r\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.(CVE-2023-52597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ptrace: handle setting of fpc register correctly\r\n\r\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\r\n\r\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\r\n\r\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\r\n\r\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\r\n\r\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().(CVE-2023-52598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid online resizing failures due to oversized flex bg\r\n\r\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\r\n\r\n     mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n     mount $dev $dir\n     resize2fs $dev 16G\r\n\r\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G  E  6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n <TASK>\n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\r\n\r\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\r\n\r\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\r\n\r\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.(CVE-2023-52622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: regenerate buddy after block freeing failed if under fc replay\r\n\r\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.(CVE-2024-26601)",
+    "cves": [
+      {
+        "id": "CVE-2024-26601",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1205": {
+    "id": "openEuler-SA-2024-1205",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1205",
+    "title": "An update for rust is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1302": {
+    "id": "openEuler-SA-2024-1302",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1302",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.(CVE-2024-24557)",
+    "cves": [
+      {
+        "id": "CVE-2024-24557",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24557",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1323": {
+    "id": "openEuler-SA-2021-1323",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1323",
+    "title": "An update for rust is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.\r\n\r\nSecurity Fix(es):\r\n\r\nlibrary/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.(CVE-2021-29922)",
+    "cves": [
+      {
+        "id": "CVE-2021-29922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29922",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1377": {
+    "id": "openEuler-SA-2023-1377",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1377",
+    "title": "An update for libX11 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Core X11 protocol client library.\n\nSecurity Fix(es):\n\nA vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.(CVE-2023-3138)",
+    "cves": [
+      {
+        "id": "CVE-2023-3138",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3138",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1384": {
+    "id": "openEuler-SA-2024-1384",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1384",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-2639)",
+    "cves": [
+      {
+        "id": "CVE-2022-2639",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1308": {
+    "id": "openEuler-SA-2024-1308",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1308",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nBy using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.(CVE-2022-22755)",
+    "cves": [
+      {
+        "id": "CVE-2022-22755",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22755",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1770": {
+    "id": "openEuler-SA-2022-1770",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1770",
+    "title": "An update for samba is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nAll versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.(CVE-2021-44141)",
+    "cves": [
+      {
+        "id": "CVE-2021-44141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44141",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1933": {
+    "id": "openEuler-SA-2022-1933",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1933",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nNode.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().(CVE-2021-22918)",
+    "cves": [
+      {
+        "id": "CVE-2021-22918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22918",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1088": {
+    "id": "openEuler-SA-2023-1088",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1088",
+    "title": "An update for python-cryptography is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.\r\n\r\nSecurity Fix(es):\r\n\r\ncryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.(CVE-2023-23931)",
+    "cves": [
+      {
+        "id": "CVE-2023-23931",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1588": {
+    "id": "openEuler-SA-2023-1588",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1588",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-1206)\r\n\r\nA buffer overrun vulnerability was found in the netback driver in Xen due to an unusual split packet. This flaw allows an unprivileged guest to cause a denial of service (DoS) of the host by sending network packets to the backend, causing the backend to crash.(CVE-2023-34319)\r\n\r\nAn issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.(CVE-2023-40283)\r\n\r\nA flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.(CVE-2023-4194)\r\n\r\nA NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.(CVE-2023-4385)\r\n\r\nA NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.(CVE-2023-4459)",
+    "cves": [
+      {
+        "id": "CVE-2023-4459",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1865": {
+    "id": "openEuler-SA-2023-1865",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1865",
+    "title": "An update for perl is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.(CVE-2023-47038)",
+    "cves": [
+      {
+        "id": "CVE-2023-47038",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1715": {
+    "id": "openEuler-SA-2023-1715",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1715",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4573)\r\n\r\nWhen creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4574)\r\n\r\nWhen creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4575)\r\n\r\nExcel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4581)\r\n\r\nMemory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.(CVE-2023-4584)\r\n\r\nHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863)",
+    "cves": [
+      {
+        "id": "CVE-2023-4863",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2129": {
+    "id": "openEuler-SA-2022-2129",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2129",
+    "title": "An update for libtar is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Libtar is a C library for manipulating POSIX tar files. It handles adding and extracting files to/from a tar archive. Requires gcc, make, and zlib.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2021-33640)",
+    "cves": [
+      {
+        "id": "CVE-2021-33640",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33640",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1388": {
+    "id": "openEuler-SA-2021-1388",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1388",
+    "title": "An update for aspell is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GNU Aspell is a spell checker intended to replace Ispell. It can be used as a library and spell checker. Its main feature is that it provides much better suggestions than other inspectors, including Ispell and Microsoft Word. It also has many other technical enhancements to Ispell, such as the use of shared memory to store dictionaries, and intelligent processing of personal dictionaries when multiple Aspell processes are opened at one time.\r\n\r\nSecurity Fix(es):\r\n\r\nlibaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a string ending with a single '\\0' byte, if the encoding is set to ucs-2 or ucs-4 outside of the application, as demonstrated by the ASPELL_CONF environment variable.(CVE-2019-20433)",
+    "cves": [
+      {
+        "id": "CVE-2019-20433",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20433",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1586": {
+    "id": "openEuler-SA-2022-1586",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1586",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nLibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.(CVE-2022-22844)",
+    "cves": [
+      {
+        "id": "CVE-2022-22844",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22844",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1310": {
+    "id": "openEuler-SA-2021-1310",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1310",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel’s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.(CVE-2021-3659)\r\n\r\narch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.(CVE-2021-37576)\r\n\r\nA vulnerability was found in the Linux kernel in versions before v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.(CVE-2021-3655)",
+    "cves": [
+      {
+        "id": "CVE-2021-3655",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3655",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1116": {
+    "id": "openEuler-SA-2021-1116",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1116",
+    "title": "An update for nss is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.(CVE-2020-12403)\n\nA flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.(CVE-2020-25648)",
+    "cves": [
+      {
+        "id": "CVE-2020-25648",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25648",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1026": {
+    "id": "openEuler-SA-2021-1026",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1026",
+    "title": "An update for krb5 is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nMIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.(CVE-2020-28196)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-28196",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28196",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1463": {
+    "id": "openEuler-SA-2024-1463",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1463",
+    "title": "An update for ghostscript is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library.\r\n\r\nSecurity Fix(es):\r\n\r\nArtifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).(CVE-2020-36773)",
+    "cves": [
+      {
+        "id": "CVE-2020-36773",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36773",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1763": {
+    "id": "openEuler-SA-2022-1763",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1763",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nBlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.(CVE-2021-41229)",
+    "cves": [
+      {
+        "id": "CVE-2021-41229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41229",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1829": {
+    "id": "openEuler-SA-2022-1829",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1829",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nPossible cross-site scripting vulnerability in libxml after commit 960f0e2.(CVE-2016-3709)",
+    "cves": [
+      {
+        "id": "CVE-2016-3709",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3709",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1456": {
+    "id": "openEuler-SA-2023-1456",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1456",
+    "title": "An update for python-reportlab is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The ReportLab Toolkit. An Open Source Python library for generating PDFs and graphics.\n\nSecurity Fix(es):\n\nReportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.(CVE-2023-33733)",
+    "cves": [
+      {
+        "id": "CVE-2023-33733",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33733",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1066": {
+    "id": "openEuler-SA-2021-1066",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1066",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\n\r\nSecurity Fix(es):\n\r\nPython 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.(CVE-2021-3177)",
+    "cves": [
+      {
+        "id": "CVE-2021-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1185": {
+    "id": "openEuler-SA-2023-1185",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1185",
+    "title": "An update for emacs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Emacs is the extensible, customizable, self-documenting real-time display editor. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing. And it is an entire ecosystem of functionality beyond text editing, including a project planner, mail and news reader, debugger interface, calendar, and more.\r\n\r\nSecurity Fix(es):\r\n\r\norg-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.(CVE-2023-28617)",
+    "cves": [
+      {
+        "id": "CVE-2023-28617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28617",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1277": {
+    "id": "openEuler-SA-2023-1277",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1277",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nThe specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2007)\r\n\r\nA null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.(CVE-2023-2177)\r\n\r\nA vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.(CVE-2023-2176)\r\n\r\nAn out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace \"data->block[0]\" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.(CVE-2023-2194)\r\n\r\nA denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.(CVE-2023-2269)\r\n\r\nqfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.(CVE-2023-31436)",
+    "cves": [
+      {
+        "id": "CVE-2023-31436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1732": {
+    "id": "openEuler-SA-2022-1732",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1732",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in squid. Due to improper buffer management Squid is vulnerable to a Denial of Service attack when processing Gopher server responses.(CVE-2021-46784)",
+    "cves": [
+      {
+        "id": "CVE-2021-46784",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46784",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1240": {
+    "id": "openEuler-SA-2021-1240",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1240",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.(CVE-2021-33620)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.(CVE-2021-31806)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.(CVE-2021-31808)\r\n\r\nAn issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.(CVE-2021-28662)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.(CVE-2021-28651)\r\n\r\nAn issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.(CVE-2021-28652)",
+    "cves": [
+      {
+        "id": "CVE-2021-28652",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28652",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2092": {
+    "id": "openEuler-SA-2022-2092",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2092",
+    "title": "An update for hadoop is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Apache Hadoop is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3(CVE-2022-26612)\r\n\r\nThere is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.(CVE-2021-37404)\r\n\r\nApache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).(CVE-2022-25168)",
+    "cves": [
+      {
+        "id": "CVE-2022-25168",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1255": {
+    "id": "openEuler-SA-2023-1255",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1255",
+    "title": "An update for protobuf-c is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format.\r\n\r\nSecurity Fix(es):\r\n\r\nprotobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.(CVE-2022-48468)",
+    "cves": [
+      {
+        "id": "CVE-2022-48468",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48468",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1803": {
+    "id": "openEuler-SA-2024-1803",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1803",
+    "title": "An update for vte291 is now available for openEuler-24.03-LTS",
+    "severity": "Low",
+    "description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
+    "cves": [
+      {
+        "id": "CVE-2024-37535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1710": {
+    "id": "openEuler-SA-2023-1710",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1710",
+    "title": "An update for libXpm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "X.Org X11 libXpm runtime library\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local to trigger an out-of-bounds read error and read the contents of memory on the system.(CVE-2023-43788)\r\n\r\nA vulnerability was found in libXpm where a vulnerability exists due to a boundary condition, a local user can trigger an out-of-bounds read error and read contents of memory on the system.(CVE-2023-43789)",
+    "cves": [
+      {
+        "id": "CVE-2023-43789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43789",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1920": {
+    "id": "openEuler-SA-2023-1920",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1920",
+    "title": "An update for liblouis is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Liblouis software suite provides an open-source braille translator, back-translator and formatter for a large number of languages and braille codes. It is a set of libraries designed for use in any of a number of applications, both free and commercial. It is written in C so that it does not require a runtime environment and hence can be used in applications written in high-level languages such as Java and Python.\r\n\r\nSecurity Fix(es):\r\n\r\nLiblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).(CVE-2022-26981)",
+    "cves": [
+      {
+        "id": "CVE-2022-26981",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26981",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1854": {
+    "id": "openEuler-SA-2022-1854",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1854",
+    "title": "An update for varnish is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is Varnish Cache, a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.(CVE-2022-38150)",
+    "cves": [
+      {
+        "id": "CVE-2022-38150",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38150",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1183": {
+    "id": "openEuler-SA-2024-1183",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1183",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Library providing XML and HTML support.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.(CVE-2024-25062)",
+    "cves": [
+      {
+        "id": "CVE-2024-25062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1986": {
+    "id": "openEuler-SA-2023-1986",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1986",
+    "title": "An update for hdf5 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433)\r\n\r\nReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436)\r\n\r\nAn issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809)",
+    "cves": [
+      {
+        "id": "CVE-2020-10809",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10809",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1233": {
+    "id": "openEuler-SA-2024-1233",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1233",
+    "title": "An update for xerces-c is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311)",
+    "cves": [
+      {
+        "id": "CVE-2018-1311",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1613": {
+    "id": "openEuler-SA-2022-1613",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1613",
+    "title": "An update for gd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. The most common applications of GD involve website development, although it can be used with any standalone application!\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is \"The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes.\"(CVE-2021-40145)",
+    "cves": [
+      {
+        "id": "CVE-2021-40145",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40145",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1974": {
+    "id": "openEuler-SA-2023-1974",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1974",
+    "title": "An update for trafficserver is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.\r\n\r\n(CVE-2022-47184)\r\n\r\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\r\n\r\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions\r\n\r\n\n(CVE-2023-33933)",
+    "cves": [
+      {
+        "id": "CVE-2023-33933",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33933",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1380": {
+    "id": "openEuler-SA-2021-1380",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1380",
+    "title": "An update for flatpak is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.(CVE-2019-10063)",
+    "cves": [
+      {
+        "id": "CVE-2019-10063",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10063",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1580": {
+    "id": "openEuler-SA-2023-1580",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1580",
+    "title": "An update for qt is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.(CVE-2023-32573)",
+    "cves": [
+      {
+        "id": "CVE-2023-32573",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32573",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1320": {
+    "id": "openEuler-SA-2021-1320",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1320",
+    "title": "An update for nettle is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Nettle is a cryptographic library designed to fit any context in crypto toolkits for object-oriented languages, in applications like LSH or GnuPG, or even in kernel space.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.(CVE-2021-3580)",
+    "cves": [
+      {
+        "id": "CVE-2021-3580",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3580",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1220": {
+    "id": "openEuler-SA-2024-1220",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1220",
+    "title": "An update for jss is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "JSS offers a implementation for java-based applications to use native NSS.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.(CVE-2021-4213)",
+    "cves": [
+      {
+        "id": "CVE-2021-4213",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4213",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1692": {
+    "id": "openEuler-SA-2024-1692",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1692",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: fix possible use-after-free in smsc75xx_bind\r\n\r\nThe commit 46a8b29c6306 (\"net: usb: fix memory leak in smsc75xx_bind\")\nfails to clean up the work scheduled in smsc75xx_reset->\nsmsc75xx_set_multicast, which leads to use-after-free if the work is\nscheduled to start after the deallocation. In addition, this patch\nalso removes a dangling pointer - dev->data[0].\r\n\r\nThis patch calls cancel_work_sync to cancel the scheduled work and set\nthe dangling pointer to NULL.(CVE-2021-47239)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA: Verify port when creating flow rule\r\n\r\nValidate port value provided by the user and with that remove no longer\nneeded validation by the driver.  The missing check in the mlx5_ib driver\ncould cause to the below oops.\r\n\r\nCall trace:\n  _create_flow_rule+0x2d4/0xf28 [mlx5_ib]\n  mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib]\n  ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs]\n  ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs]\n  ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs]\n  ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs]\n  do_vfs_ioctl+0xd0/0xaf0\n  ksys_ioctl+0x84/0xb4\n  __arm64_sys_ioctl+0x28/0xc4\n  el0_svc_common.constprop.3+0xa4/0x254\n  el0_svc_handler+0x84/0xa0\n  el0_svc+0x10/0x26c\n Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a)(CVE-2021-47265)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbcache: avoid oversized read request in cache missing code path\r\n\r\nIn the cache missing code path of cached device, if a proper location\nfrom the internal B+ tree is matched for a cache miss range, function\ncached_dev_cache_miss() will be called in cache_lookup_fn() in the\nfollowing code block,\n[code block 1]\n  526         unsigned int sectors = KEY_INODE(k) == s->iop.inode\n  527                 ? min_t(uint64_t, INT_MAX,\n  528                         KEY_START(k) - bio->bi_iter.bi_sector)\n  529                 : INT_MAX;\n  530         int ret = s->d->cache_miss(b, s, bio, sectors);\r\n\r\nHere s->d->cache_miss() is the call backfunction pointer initialized as\ncached_dev_cache_miss(), the last parameter 'sectors' is an important\nhint to calculate the size of read request to backing device of the\nmissing cache data.\r\n\r\nCurrent calculation in above code block may generate oversized value of\n'sectors', which consequently may trigger 2 different potential kernel\npanics by BUG() or BUG_ON() as listed below,\r\n\r\n1) BUG_ON() inside bch_btree_insert_key(),\n[code block 2]\n   886         BUG_ON(b->ops->is_extents && !KEY_SIZE(k));\n2) BUG() inside biovec_slab(),\n[code block 3]\n   51         default:\n   52                 BUG();\n   53                 return NULL;\r\n\r\nAll the above panics are original from cached_dev_cache_miss() by the\noversized parameter 'sectors'.\r\n\r\nInside cached_dev_cache_miss(), parameter 'sectors' is used to calculate\nthe size of data read from backing device for the cache missing. This\nsize is stored in s->insert_bio_sectors by the following lines of code,\n[code block 4]\n  909    s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada);\r\n\r\nThen the actual key inserting to the internal B+ tree is generated and\nstored in s->iop.replace_key by the following lines of code,\n[code block 5]\n  911   s->iop.replace_key = KEY(s->iop.inode,\n  912                    bio->bi_iter.bi_sector + s->insert_bio_sectors,\n  913                    s->insert_bio_sectors);\nThe oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from\nthe above code block.\r\n\r\nAnd the bio sending to backing device for the missing data is allocated\nwith hint from s->insert_bio_sectors by the following lines of code,\n[code block 6]\n  926    cache_bio = bio_alloc_bioset(GFP_NOWAIT,\n  927                 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS),\n  928                 &dc->disk.bio_split);\nThe oversized parameter 'sectors' may trigger panic 2) by BUG() from the\nagove code block.\r\n\r\nNow let me explain how the panics happen with the oversized 'sectors'.\nIn code block 5, replace_key is generated by macro KEY(). From the\ndefinition of macro KEY(),\n[code block 7]\n  71 #define KEY(inode, offset, size)                                  \\\n  72 ((struct bkey) {                                                  \\\n  73      .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode),     \\\n  74      .low = (offset)                                              \\\n  75 })\r\n\r\nHere 'size' is 16bits width embedded in 64bits member 'high' of struct\nbkey. But in code block 1, if \"KEY_START(k) - bio->bi_iter.bi_sector\" is\nvery probably to be larger than (1<<16) - 1, which makes the bkey size\ncalculation in code block 5 is overflowed. In one bug report the value\nof parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors'\nresults the overflowed s->insert_bio_sectors in code block 4, then makes\nsize field of s->iop.replace_key to be 0 in code block 5. Then the 0-\nsized s->iop.replace_key is inserted into the internal B+ tree as cache\nmissing check key (a special key to detect and avoid a racing between\nnormal write request and cache missing read request) as,\n[code block 8]\n  915   ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key);\r\n\r\nThen the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey\nsize check BUG_ON() in code block 2, and causes the kernel panic 1).\r\n\r\nAnother ke\n---truncated---(CVE-2021-47275)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\r\n\r\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot.  The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\r\n\r\n      hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\r\n\r\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory.  However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\r\n\r\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot.  While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva.  If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\r\n\r\nRight now it's not clear if there are any cases in which this is\nexploitable.  One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86.  Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier.  However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space.  Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets.  Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\r\n\r\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached.  This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses.(CVE-2021-47277)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix uninit-value in caif_seqpkt_sendmsg\r\n\r\nWhen nr_segs equal to zero in iovec_from_user, the object\nmsg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg\nwhich is defined in ___sys_sendmsg. So we cann't just judge\nmsg->msg_iter.iov->base directlly. We can use nr_segs to judge\nmsg in caif_seqpkt_sendmsg whether has data buffers.\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1c9/0x220 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343\n ___sys_sendmsg net/socket.c:2397 [inline]\n __sys_sendmmsg+0x808/0xc90 net/socket.c:2480\n __compat_sys_sendmmsg net/compat.c:656 [inline](CVE-2021-47297)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmemory: fsl_ifc: fix leak of private memory on probe failure\r\n\r\nOn probe error the driver should free the memory allocated for private\nstructure.  Fix this by using resource-managed allocation.(CVE-2021-47314)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47323)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: serial: 8250: serial_cs: Fix a memory leak in error handling path\r\n\r\nIn the probe function, if the final 'serial_config()' fails, 'info' is\nleaking.\r\n\r\nAdd a resource handling path to free this memory.(CVE-2021-47330)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/mm: Fix lockup on kernel exec fault\r\n\r\nThe powerpc kernel is not prepared to handle exec faults from kernel.\nEspecially, the function is_exec_fault() will return 'false' when an\nexec fault is taken by kernel, because the check is based on reading\ncurrent->thread.regs->trap which contains the trap from user.\r\n\r\nFor instance, when provoking a LKDTM EXEC_USERSPACE test,\ncurrent->thread.regs->trap is set to SYSCALL trap (0xc00), and\nthe fault taken by the kernel is not seen as an exec fault by\nset_access_flags_filter().\r\n\r\nCommit d7df2443cd5f (\"powerpc/mm: Fix spurious segfaults on radix\nwith autonuma\") made it clear and handled it properly. But later on\ncommit d3ca587404b3 (\"powerpc/mm: Fix reporting of kernel execute\nfaults\") removed that handling, introducing test based on error_code.\nAnd here is the problem, because on the 603 all upper bits of SRR1\nget cleared when the TLB instruction miss handler bails out to ISI.\r\n\r\nUntil commit cbd7e6ca0210 (\"powerpc/fault: Avoid heavy\nsearch_exception_tables() verification\"), an exec fault from kernel\nat a userspace address was indirectly caught by the lack of entry for\nthat address in the exception tables. But after that commit the\nkernel mainly relies on KUAP or on core mm handling to catch wrong\nuser accesses. Here the access is not wrong, so mm handles it.\nIt is a minor fault because PAGE_EXEC is not set,\nset_access_flags_filter() should set PAGE_EXEC and voila.\nBut as is_exec_fault() returns false as explained in the beginning,\nset_access_flags_filter() bails out without setting PAGE_EXEC flag,\nwhich leads to a forever minor exec fault.\r\n\r\nAs the kernel is not prepared to handle such exec faults, the thing to\ndo is to fire in bad_kernel_fault() for any exec fault taken by the\nkernel, as it was prior to commit d3ca587404b3.(CVE-2021-47350)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudf: Fix NULL pointer dereference in udf_symlink function\r\n\r\nIn function udf_symlink, epos.bh is assigned with the value returned\nby udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c\nand returns the value of sb_getblk function that could be NULL.\nThen, epos.bh is used without any check, causing a possible\nNULL pointer dereference when sb_getblk fails.\r\n\r\nThis fix adds a check to validate the value of epos.bh.(CVE-2021-47353)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\natm: nicstar: Fix possible use-after-free in nicstar_cleanup()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47355)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmISDN: fix possible use-after-free in HFC_cleanup()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\natm: iphase: fix possible use-after-free in ia_module_exit()\r\n\r\nThis module's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\r\n\r\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.(CVE-2021-47357)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmcb: fix error handling in mcb_alloc_bus()\r\n\r\nThere are two bugs:\n1) If ida_simple_get() fails then this code calls put_device(carrier)\n   but we haven't yet called get_device(carrier) and probably that\n   leads to a use after free.\n2) After device_initialize() then we need to use put_device() to\n   release the bus.  This will free the internal resources tied to the\n   device and call mcb_free_bus() which will free the rest.(CVE-2021-47361)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/pm: Update intermediate power state for SI\r\n\r\nUpdate the current state as boot state during dpm initialization.\nDuring the subsequent initialization, set_power_state gets called to\ntransition to the final power state. set_power_state refers to values\nfrom the current state and without current state populated, it could\nresult in NULL pointer dereference.\r\n\r\nFor ex: on platforms where PCI speed change is supported through ACPI\nATCS method, the link speed of current state needs to be queried before\ndeciding on changing to final power state's link speed. The logic to query\nATCS-support was broken on certain platforms. The issue became visible\nwhen broken ATCS-support logic got fixed with commit\nf9b7f3703ff9 (\"drm/amdgpu/acpi: make ATPX/ATCS structures global (v2)\").\r\n\r\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1698(CVE-2021-47362)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac80211: fix use-after-free in CCMP/GCMP RX\r\n\r\nWhen PN checking is done in mac80211, for fragmentation we need\nto copy the PN to the RX struct so we can later use it to do a\ncomparison, since commit bf30ca922a0c (\"mac80211: check defrag\nPN against current frame\").\r\n\r\nUnfortunately, in that commit I used the 'hdr' variable without\nit being necessarily valid, so use-after-free could occur if it\nwas necessary to reallocate (parts of) the frame.\r\n\r\nFix this by reloading the variable after the code that results\nin the reallocations, if any.\r\n\r\nThis fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.(CVE-2021-47388)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap\r\n\r\nLimit max values for vht mcs and nss in ieee80211_parse_tx_radiotap\nroutine in order to fix the following warning reported by syzbot:\r\n\r\nWARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]\nWARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244\nModules linked in:\nCPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]\nRIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244\nRSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216\nRAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000\nRDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003\nRBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100\nR10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8\nR13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004\nFS:  00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740\n netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089\n __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165\n __bpf_tx_skb net/core/filter.c:2114 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2139 [inline]\n __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162\n ____bpf_clone_redirect net/core/filter.c:2429 [inline]\n bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401\n bpf_prog_eeb6f53a69e5c6a2+0x59/0x234\n bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline]\n __bpf_prog_run include/linux/filter.h:624 [inline]\n bpf_prog_run include/linux/filter.h:631 [inline]\n bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119\n bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663\n bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline]\n __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605\n __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9(CVE-2021-47395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb\r\n\r\nWe should always check if skb_header_pointer's return is NULL before\nusing it, otherwise it may cause null-ptr-deref, as syzbot reported:\r\n\r\n  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n  RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]\n  RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196\n  Call Trace:\n  <IRQ>\n   sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109\n   ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422\n   ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463\n   NF_HOOK include/linux/netfilter.h:307 [inline]\n   NF_HOOK include/linux/netfilter.h:301 [inline]\n   ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472\n   dst_input include/net/dst.h:460 [inline]\n   ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]\n   NF_HOOK include/linux/netfilter.h:307 [inline]\n   NF_HOOK include/linux/netfilter.h:301 [inline]\n   ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297(CVE-2021-47397)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipack: ipoctal: fix stack information leak\r\n\r\nThe tty driver name is used also after registering the driver and must\nspecifically not be allocated on the stack to avoid leaking information\nto user space (or triggering an oops).\r\n\r\nDrivers should not try to encode topology information in the tty device\nname but this one snuck in through staging without anyone noticing and\nanother driver has since copied this malpractice.\r\n\r\nFixing the ABI is a separate issue, but this at least plugs the security\nhole.(CVE-2021-47401)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: betop: fix slab-out-of-bounds Write in betop_probe\r\n\r\nSyzbot reported slab-out-of-bounds Write bug in hid-betopff driver.\nThe problem is the driver assumes the device must have an input report but\nsome malicious devices violate this assumption.\r\n\r\nSo this patch checks hid_device's input is non empty before it's been used.(CVE-2021-47404)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: usbhid: free raw_report buffers in usbhid_stop\r\n\r\nFree the unsent raw_report buffers when the device is removed.\r\n\r\nFixes a memory leak reported by syzbot at:\nhttps://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47(CVE-2021-47405)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: conntrack: serialize hash resizes and cleanups\r\n\r\nSyzbot was able to trigger the following warning [1]\r\n\r\nNo repro found by syzbot yet but I was able to trigger similar issue\nby having 2 scripts running in parallel, changing conntrack hash sizes,\nand:\r\n\r\nfor j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done\r\n\r\nIt would take more than 5 minutes for net_namespace structures\nto be cleaned up.\r\n\r\nThis is because nf_ct_iterate_cleanup() has to restart everytime\na resize happened.\r\n\r\nBy adding a mutex, we can serialize hash resizes and cleanups\nand also make get_next_corpse() faster by skipping over empty\nbuckets.\r\n\r\nEven without resizes in the picture, this patch considerably\nspeeds up network namespace dismantles.\r\n\r\n[1]\nINFO: task syz-executor.0:8312 can't die for more than 144 seconds.\ntask:syz-executor.0  state:R  running task     stack:25672 pid: 8312 ppid:  6573 flags:0x00004006\nCall Trace:\n context_switch kernel/sched/core.c:4955 [inline]\n __schedule+0x940/0x26f0 kernel/sched/core.c:6236\n preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408\n preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35\n __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390\n local_bh_enable include/linux/bottom_half.h:32 [inline]\n get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline]\n nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275\n nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469\n ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171\n setup_net+0x639/0xa30 net/core/net_namespace.c:349\n copy_net_ns+0x319/0x760 net/core/net_namespace.c:470\n create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226\n ksys_unshare+0x445/0x920 kernel/fork.c:3128\n __do_sys_unshare kernel/fork.c:3202 [inline]\n __se_sys_unshare kernel/fork.c:3200 [inline]\n __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f63da68e739\nRSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000\nRBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80\nR13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000\r\n\r\nShowing all locks held in the system:\n1 lock held by khungtaskd/27:\n #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446\n2 locks held by kworker/u4:2/153:\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268\n #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272\n1 lock held by systemd-udevd/2970:\n1 lock held by in:imklog/6258:\n #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990\n3 locks held by kworker/1:6/8158:\n1 lock held by syz-executor.0/8312:\n2 locks held by kworker/u4:13/9320:\n1 lock held by\n---truncated---(CVE-2021-47408)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/nouveau/debugfs: fix file release memory leak\r\n\r\nWhen using single_open() for opening, single_release() should be\ncalled, otherwise the 'op' allocated in single_open() will be leaked.(CVE-2021-47423)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: iscsi: Fix iscsi_task use after free\r\n\r\nCommit d39df158518c (\"scsi: iscsi: Have abort handler get ref to conn\")\nadded iscsi_get_conn()/iscsi_put_conn() calls during abort handling but\nthen also changed the handling of the case where we detect an already\ncompleted task where we now end up doing a goto to the common put/cleanup\ncode. This results in a iscsi_task use after free, because the common\ncleanup code will do a put on the iscsi_task.\r\n\r\nThis reverts the goto and moves the iscsi_get_conn() to after we've checked\nif the iscsi_task is valid.(CVE-2021-47427)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path\r\n\r\nPrior to this patch in case mlx5_core_destroy_cq() failed it returns\nwithout completing all destroy operations and that leads to memory leak.\nInstead, complete the destroy flow before return error.\r\n\r\nAlso move mlx5_debug_cq_remove() to the beginning of mlx5_core_destroy_cq()\nto be symmetrical with mlx5_core_create_cq().\r\n\r\nkmemleak complains on:\r\n\r\nunreferenced object 0xc000000038625100 (size 64):\n  comm \"ethtool\", pid 28301, jiffies 4298062946 (age 785.380s)\n  hex dump (first 32 bytes):\n    60 01 48 94 00 00 00 c0 b8 05 34 c3 00 00 00 c0  `.H.......4.....\n    02 00 00 00 00 00 00 00 00 db 7d c1 00 00 00 c0  ..........}.....\n  backtrace:\n    [<000000009e8643cb>] add_res_tree+0xd0/0x270 [mlx5_core]\n    [<00000000e7cb8e6c>] mlx5_debug_cq_add+0x5c/0xc0 [mlx5_core]\n    [<000000002a12918f>] mlx5_core_create_cq+0x1d0/0x2d0 [mlx5_core]\n    [<00000000cef0a696>] mlx5e_create_cq+0x210/0x3f0 [mlx5_core]\n    [<000000009c642c26>] mlx5e_open_cq+0xb4/0x130 [mlx5_core]\n    [<0000000058dfa578>] mlx5e_ptp_open+0x7f4/0xe10 [mlx5_core]\n    [<0000000081839561>] mlx5e_open_channels+0x9cc/0x13e0 [mlx5_core]\n    [<0000000009cf05d4>] mlx5e_switch_priv_channels+0xa4/0x230\n[mlx5_core]\n    [<0000000042bbedd8>] mlx5e_safe_switch_params+0x14c/0x300\n[mlx5_core]\n    [<0000000004bc9db8>] set_pflag_tx_port_ts+0x9c/0x160 [mlx5_core]\n    [<00000000a0553443>] mlx5e_set_priv_flags+0xd0/0x1b0 [mlx5_core]\n    [<00000000a8f3d84b>] ethnl_set_privflags+0x234/0x2d0\n    [<00000000fd27f27c>] genl_family_rcv_msg_doit+0x108/0x1d0\n    [<00000000f495e2bb>] genl_family_rcv_msg+0xe4/0x1f0\n    [<00000000646c5c2c>] genl_rcv_msg+0x78/0x120\n    [<00000000d53e384e>] netlink_rcv_skb+0x74/0x1a0(CVE-2021-47438)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFC: digital: fix possible memory leak in digital_in_send_sdd_req()\r\n\r\n'skb' is allocated in digital_in_send_sdd_req(), but not free when\ndigital_in_send_cmd() failed, which will cause memory leak. Fix it\nby freeing 'skb' if digital_in_send_cmd() return failed.(CVE-2021-47442)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFC: digital: fix possible memory leak in digital_tg_listen_mdaa()\r\n\r\n'params' is allocated in digital_tg_listen_mdaa(), but not free when\ndigital_send_cmd() failed, which will cause memory leak. Fix it by\nfreeing 'params' if digital_send_cmd() return failed.(CVE-2021-47443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/msm: Fix null pointer dereference on pointer edp\r\n\r\nThe initialization of pointer dev dereferences pointer edp before\nedp is null checked, so there is a potential null pointer deference\nissue. Fix this by only dereferencing edp after edp has been null\nchecked.\r\n\r\nAddresses-Coverity: (\"Dereference before null check\")(CVE-2021-47445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: mount fails with buffer overflow in strlen\r\n\r\nStarting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an\nocfs2 filesystem with either o2cb or pcmk cluster stack fails with the\ntrace below.  Problem seems to be that strings for cluster stack and\ncluster name are not guaranteed to be null terminated in the disk\nrepresentation, while strlcpy assumes that the source string is always\nnull terminated.  This causes a read outside of the source string\ntriggering the buffer overflow detection.\r\n\r\n  detected buffer overflow in strlen\n  ------------[ cut here ]------------\n  kernel BUG at lib/string.c:1149!\n  invalid opcode: 0000 [#1] SMP PTI\n  CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1\n    Debian 5.14.6-2\n  RIP: 0010:fortify_panic+0xf/0x11\n  ...\n  Call Trace:\n   ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]\n   ocfs2_fill_super+0x359/0x19b0 [ocfs2]\n   mount_bdev+0x185/0x1b0\n   legacy_get_tree+0x27/0x40\n   vfs_get_tree+0x25/0xb0\n   path_mount+0x454/0xa20\n   __x64_sys_mount+0x103/0x140\n   do_syscall_64+0x3b/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae(CVE-2021-47458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv\r\n\r\nIt will trigger UAF for rx_kref of j1939_priv as following.\r\n\r\n        cpu0                                    cpu1\nj1939_sk_bind(socket0, ndev0, ...)\nj1939_netdev_start\n                                        j1939_sk_bind(socket1, ndev0, ...)\n                                        j1939_netdev_start\nj1939_priv_set\n                                        j1939_priv_get_by_ndev_locked\nj1939_jsk_add\n.....\nj1939_netdev_stop\nkref_put_lock(&priv->rx_kref, ...)\n                                        kref_get(&priv->rx_kref, ...)\n                                        REFCOUNT_WARN(\"addition on 0;...\")\r\n\r\n====================================================\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0\nRIP: 0010:refcount_warn_saturate+0x169/0x1e0\nCall Trace:\n j1939_netdev_start+0x68b/0x920\n j1939_sk_bind+0x426/0xeb0\n ? security_socket_bind+0x83/0xb0\r\n\r\nThe rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to\nprotect.(CVE-2021-47459)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: vmk80xx: fix transfer-buffer overflows\r\n\r\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\r\n\r\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\r\n\r\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\r\n\r\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize.(CVE-2021-47475)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncomedi: dt9812: fix DMA buffers on stack\r\n\r\nUSB transfer buffers are typically mapped for DMA and must not be\nallocated on the stack or transfers will fail.\r\n\r\nAllocate proper transfer buffers in the various command helpers and\nreturn an error on short transfers instead of acting on random stack\ndata.\r\n\r\nNote that this also fixes a stack info leak on systems where DMA is not\nused as 32 bytes are always sent to the device regardless of how short\nthe command is.(CVE-2021-47477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusbnet: sanity check for maxpacket\r\n\r\nmaxpacket of 0 makes no sense and oopses as we need to divide\nby it. Give up.\r\n\r\nV2: fixed typo in log and stylistic issues(CVE-2021-47495)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf hist: Fix memory leak of a perf_hpp_fmt\r\n\r\nperf_hpp__column_unregister() removes an entry from a list but doesn't\nfree the memory causing a memory leak spotted by leak sanitizer.\r\n\r\nAdd the free while at the same time reducing the scope of the function\nto static.(CVE-2021-47545)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()\r\n\r\nThe if statement:\n  if (port >= DSAF_GE_NUM)\n        return;\r\n\r\nlimits the value of port less than DSAF_GE_NUM (i.e., 8).\nHowever, if the value of port is 6 or 7, an array overflow could occur:\n  port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;\r\n\r\nbecause the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).\r\n\r\nTo fix this possible array overflow, we first check port and if it is\ngreater than or equal to DSAF_MAX_PORT_NUM, the function returns.(CVE-2021-47548)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl\r\n\r\nWhen the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,\na bug is reported:\n ==================================================================\n BUG: Unable to handle kernel data access on read at 0x80000800805b502c\n Oops: Kernel access of bad area, sig: 11 [#1]\n NIP [c0000000000388a4] .ioread32+0x4/0x20\n LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]\n Call Trace:\n  .free_irq+0x1c/0x4e0 (unreliable)\n  .ata_host_stop+0x74/0xd0 [libata]\n  .release_nodes+0x330/0x3f0\n  .device_release_driver_internal+0x178/0x2c0\n  .driver_detach+0x64/0xd0\n  .bus_remove_driver+0x70/0xf0\n  .driver_unregister+0x38/0x80\n  .platform_driver_unregister+0x14/0x30\n  .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]\n  .__se_sys_delete_module+0x1ec/0x2d0\n  .system_call_exception+0xfc/0x1f0\n  system_call_common+0xf8/0x200\n ==================================================================\r\n\r\nThe triggering of the BUG is shown in the following stack:\r\n\r\ndriver_detach\n  device_release_driver_internal\n    __device_release_driver\n      drv->remove(dev) --> platform_drv_remove/platform_remove\n        drv->remove(dev) --> sata_fsl_remove\n          iounmap(host_priv->hcr_base);\t\t\t<---- unmap\n          kfree(host_priv);                             <---- free\n      devres_release_all\n        release_nodes\n          dr->node.release(dev, dr->data) --> ata_host_stop\n            ap->ops->port_stop(ap) --> sata_fsl_port_stop\n                ioread32(hcr_base + HCONTROL)           <---- UAF\n            host->ops->host_stop(host)\r\n\r\nThe iounmap(host_priv->hcr_base) and kfree(host_priv) functions should\nnot be executed in drv->remove. These functions should be executed in\nhost_stop after port_stop. Therefore, we move these functions to the\nnew function sata_fsl_host_stop and bind the new function to host_stop.(CVE-2021-47549)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()\r\n\r\nCoverity reports a possible NULL dereferencing problem:\r\n\r\nin smc_vlan_by_tcpsk():\n6. returned_null: netdev_lower_get_next returns NULL (checked 29 out of 30 times).\n7. var_assigned: Assigning: ndev = NULL return value from netdev_lower_get_next.\n1623                ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower);\nCID 1468509 (#1 of 1): Dereference null return value (NULL_RETURNS)\n8. dereference: Dereferencing a pointer that might be NULL ndev when calling is_vlan_dev.\n1624                if (is_vlan_dev(ndev)) {\r\n\r\nRemove the manual implementation and use netdev_walk_all_lower_dev() to\niterate over the lower devices. While on it remove an obsolete function\nparameter comment.(CVE-2021-47559)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: single: fix potential NULL dereference\r\n\r\nAdded checking of pointer \"function\" in pcs_set_mux().\npinmux_generic_get_function() can return NULL and the pointer\n\"function\" was dereferenced without checking against NULL.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2022-48708)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: s390/aes - Fix buffer overread in CTR mode\r\n\r\nWhen processing the last block, the s390 ctr code will always read\na whole block, even if there isn't a whole block of data left.  Fix\nthis by using the actual length left and copy it into a buffer first\nfor processing.(CVE-2023-52669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: video: check for error while searching for backlight device parent\r\n\r\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\r\n\r\nCheck acpi_get_parent() result and set parent device only in case of success.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52693)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsysv: don't call sb_bread() with pointers_lock held\r\n\r\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\r\n\r\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\r\n\r\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\r\n\r\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).(CVE-2023-52699)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/usb: kalmia: Don't pass act_len in usb_bulk_msg error path\r\n\r\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it's pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\r\n\r\nWith this in mind, let's just not pass act_len to the usb_bulk_msg error\npaths.\r\n\r\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/(CVE-2023-52703)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer\r\n\r\nPrior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly\nbyte-swap NOP when compiling for big-endian, and the resulting series of\nbytes happened to match the encoding of FNMADD S21, S30, S0, S0.\r\n\r\nThis went unnoticed until commit:\r\n\r\n  34f66c4c4d5518c1 (\"arm64: Use a positive cpucap for FP/SIMD\")\r\n\r\nPrior to that commit, the kernel would always enable the use of FPSIMD\nearly in boot when __cpu_setup() initialized CPACR_EL1, and so usage of\nFNMADD within the kernel was not detected, but could result in the\ncorruption of user or kernel FPSIMD state.\r\n\r\nAfter that commit, the instructions happen to trap during boot prior to\nFPSIMD being detected and enabled, e.g.\r\n\r\n| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : __pi_strcmp+0x1c/0x150\n| lr : populate_properties+0xe4/0x254\n| sp : ffffd014173d3ad0\n| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000\n| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008\n| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044\n| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005\n| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000\n| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000\n| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000\n| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a\n| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8\n| Kernel panic - not syncing: Unhandled exception\n| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n|  dump_backtrace+0xec/0x108\n|  show_stack+0x18/0x2c\n|  dump_stack_lvl+0x50/0x68\n|  dump_stack+0x18/0x24\n|  panic+0x13c/0x340\n|  el1t_64_irq_handler+0x0/0x1c\n|  el1_abort+0x0/0x5c\n|  el1h_64_sync+0x64/0x68\n|  __pi_strcmp+0x1c/0x150\n|  unflatten_dt_nodes+0x1e8/0x2d8\n|  __unflatten_device_tree+0x5c/0x15c\n|  unflatten_device_tree+0x38/0x50\n|  setup_arch+0x164/0x1e0\n|  start_kernel+0x64/0x38c\n|  __primary_switched+0xbc/0xc4\r\n\r\nRestrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is\neither GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked\ncommit.(CVE-2023-52750)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix use-after-free bug in cifs_debug_data_proc_show()\r\n\r\nSkip SMB sessions that are being teared down\n(e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show()\nto avoid use-after-free in @ses.\r\n\r\nThis fixes the following GPF when reading from /proc/fs/cifs/DebugData\nwhile mounting and umounting\r\n\r\n  [ 816.251274] general protection fault, probably for non-canonical\n  address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI\n  ...\n  [  816.260138] Call Trace:\n  [  816.260329]  <TASK>\n  [  816.260499]  ? die_addr+0x36/0x90\n  [  816.260762]  ? exc_general_protection+0x1b3/0x410\n  [  816.261126]  ? asm_exc_general_protection+0x26/0x30\n  [  816.261502]  ? cifs_debug_tcon+0xbd/0x240 [cifs]\n  [  816.261878]  ? cifs_debug_tcon+0xab/0x240 [cifs]\n  [  816.262249]  cifs_debug_data_proc_show+0x516/0xdb0 [cifs]\n  [  816.262689]  ? seq_read_iter+0x379/0x470\n  [  816.262995]  seq_read_iter+0x118/0x470\n  [  816.263291]  proc_reg_read_iter+0x53/0x90\n  [  816.263596]  ? srso_alias_return_thunk+0x5/0x7f\n  [  816.263945]  vfs_read+0x201/0x350\n  [  816.264211]  ksys_read+0x75/0x100\n  [  816.264472]  do_syscall_64+0x3f/0x90\n  [  816.264750]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n  [  816.265135] RIP: 0033:0x7fd5e669d381(CVE-2023-52752)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: ignore negated quota changes\r\n\r\nWhen lots of quota changes are made, there may be cases in which an\ninode's quota information is increased and then decreased, such as when\nblocks are added to a file, then deleted from it. If the timing is\nright, function do_qc can add pending quota changes to a transaction,\nthen later, another call to do_qc can negate those changes, resulting\nin a net gain of 0. The quota_change information is recorded in the qc\nbuffer (and qd element of the inode as well). The buffer is added to the\ntransaction by the first call to do_qc, but a subsequent call changes\nthe value from non-zero back to zero. At that point it's too late to\nremove the buffer_head from the transaction. Later, when the quota sync\ncode is called, the zero-change qd element is discovered and flagged as\nan assert warning. If the fs is mounted with errors=panic, the kernel\nwill panic.\r\n\r\nThis is usually seen when files are truncated and the quota changes are\nnegated by punch_hole/truncate which uses gfs2_quota_hold and\ngfs2_quota_unhold rather than block allocations that use gfs2_quota_lock\nand gfs2_quota_unlock which automatically do quota sync.\r\n\r\nThis patch solves the problem by adding a check to qd_check_sync such\nthat net-zero quota changes already added to the transaction are no\nlonger deemed necessary to be synced, and skipped.\r\n\r\nIn this case references are taken for the qd and the slot from do_qc\nso those need to be put. The normal sequence of events for a normal\nnon-zero quota change is as follows:\r\n\r\ngfs2_quota_change\n   do_qc\n      qd_hold\n      slot_hold\r\n\r\nLater, when the changes are to be synced:\r\n\r\ngfs2_quota_sync\n   qd_fish\n      qd_check_sync\n         gets qd ref via lockref_get_not_dead\n   do_sync\n      do_qc(QC_SYNC)\n         qd_put\n\t    lockref_put_or_lock\n   qd_unlock\n      qd_put\n         lockref_put_or_lock\r\n\r\nIn the net-zero change case, we add a check to qd_check_sync so it puts\nthe qd and slot references acquired in gfs2_quota_change and skip the\nunneeded sync.(CVE-2023-52759)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: vcc: Add check for kstrdup() in vcc_probe()\r\n\r\nAdd check for the return value of kstrdup() and return the error, if it\nfails in order to avoid NULL pointer dereference.(CVE-2023-52789)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipvlan: add ipvlan_route_v6_outbound() helper\r\n\r\nInspired by syzbot reports using a stack of multiple ipvlan devices.\r\n\r\nReduce stack size needed in ipvlan_process_v6_outbound() by moving\nthe flowi6 struct used for the route lookup in an non inlined\nhelper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,\nimmediately reclaimed.\r\n\r\nAlso make sure ipvlan_process_v4_outbound() is not inlined.\r\n\r\nWe might also have to lower MAX_NEST_DEV, because only syzbot uses\nsetups with more than four stacked devices.\r\n\r\nBUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)\nstack guard page: 0000 [#1] SMP KASAN\nCPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023\nRIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188\nCode: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89\nRSP: 0018:ffffc9000e804000 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2\nRDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568\nRBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c\nR13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000\nFS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<#DF>\n</#DF>\n<TASK>\n[<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31\n[<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline]\n[<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n[<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline]\n[<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline]\n[<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline]\n[<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632\n[<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306\n[<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline]\n[<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221\n[<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606\n[<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline]\n[<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116\n[<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638\n[<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651\n[<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline]\n[<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]\n[<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]\n[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]\n[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]\n[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]\n[<f\n---truncated---(CVE-2023-52796)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbFindLeaf\r\n\r\nCurrently while searching for dmtree_t for sufficient free blocks there\nis an array out of bounds while getting element in tp->dm_stree. To add\nthe required check for out of bound we first need to determine the type\nof dmtree. Thus added an extra parameter to dbFindLeaf so that the type\nof tree can be determined and the required check can be applied.(CVE-2023-52799)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe()\r\n\r\nof_match_device() may fail and returns a NULL pointer.\r\n\r\nIn practice there is no known reasonable way to trigger this, but\nin case one is added in future, harden the code by adding the check(CVE-2023-52802)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add validity check for db_maxag and db_agpref\r\n\r\nBoth db_maxag and db_agpref are used as the index of the\ndb_agfree array, but there is currently no validity check for\ndb_maxag and db_agpref, which can lead to errors.\r\n\r\nThe following is related bug reported by Syzbot:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20\nindex 7936 is out of range for type 'atomic_t[128]'\r\n\r\nAdd checking that the values of db_maxag and db_agpref are valid\nindexes for the db_agfree array.(CVE-2023-52804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diAlloc\r\n\r\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.(CVE-2023-52805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()\r\n\r\nfc_lport_ptp_setup() did not check the return value of fc_rport_create()\nwhich can return NULL and would cause a NULL pointer dereference. Address\nthis issue by checking return value of fc_rport_create() and log error\nmessage on fc_rport_create() failed.(CVE-2023-52809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga\r\n\r\nFor pptable structs that use flexible array sizes, use flexible arrays.(CVE-2023-52819)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpu/hotplug: Don't offline the last non-isolated CPU\r\n\r\nIf a system has isolated CPUs via the \"isolcpus=\" command line parameter,\nthen an attempt to offline the last housekeeping CPU will result in a\nWARN_ON() when rebuilding the scheduler domains and a subsequent panic due\nto and unhandled empty CPU mas in partition_sched_domains_locked().\r\n\r\ncpuset_hotplug_workfn()\n  rebuild_sched_domains_locked()\n    ndoms = generate_sched_domains(&doms, &attr);\n      cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN));\r\n\r\nThus results in an empty CPU mask which triggers the warning and then the\nsubsequent crash:\r\n\r\nWARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408\nCall trace:\n build_sched_domains+0x120c/0x1408\n partition_sched_domains_locked+0x234/0x880\n rebuild_sched_domains_locked+0x37c/0x798\n rebuild_sched_domains+0x30/0x58\n cpuset_hotplug_workfn+0x2a8/0x930\r\n\r\nUnable to handle kernel paging request at virtual address fffe80027ab37080\n partition_sched_domains_locked+0x318/0x880\n rebuild_sched_domains_locked+0x37c/0x798\r\n\r\nAside of the resulting crash, it does not make any sense to offline the last\nlast housekeeping CPU.\r\n\r\nPrevent this by masking out the non-housekeeping CPUs when selecting a\ntarget CPU for initiating the CPU unplug operation via the work queue.(CVE-2023-52831)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: don't return unset power in ieee80211_get_tx_power()\r\n\r\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\r\n\r\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type 'int'\n CPU: 0 PID: 20433 Comm: insmod Tainted: G        WC OE\n Call Trace:\n  dump_stack+0x74/0x92\n  ubsan_epilogue+0x9/0x50\n  handle_overflow+0x8d/0xd0\n  __ubsan_handle_mul_overflow+0xe/0x10\n  nl80211_send_iface+0x688/0x6b0 [cfg80211]\n  [...]\n  cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n  cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n  [...]\n  ieee80211_if_add+0x60e/0x8f0 [mac80211]\n  ieee80211_register_hw+0xda5/0x1170 [mac80211]\r\n\r\nIn this case, simply return an error instead, to indicate\nthat no data is available.(CVE-2023-52832)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: Change nla_policy for bearer-related names to NLA_NUL_STRING\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]\nBUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756\n strlen lib/string.c:418 [inline]\n strstr+0xb8/0x2f0 lib/string.c:756\n tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595\n genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]\n genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066\n netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545\n genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x318/0x740 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]\n netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885\n sock_sendmsg_nosec net/socket.c:730 [inline]\n sock_sendmsg net/socket.c:753 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595\n __sys_sendmsg net/socket.c:2624 [inline]\n __do_sys_sendmsg net/socket.c:2633 [inline]\n __se_sys_sendmsg net/socket.c:2631 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\r\n\r\nTIPC bearer-related names including link names must be null-terminated\nstrings. If a link name which is not null-terminated is passed through\nnetlink, strstr() and similar functions can cause buffer overrun. This\ncauses the above issue.\r\n\r\nThis patch changes the nla_policy for bearer-related names from NLA_STRING\nto NLA_NUL_STRING. This resolves the issue by ensuring that only\nnull-terminated strings are accepted as bearer-related names.\r\n\r\nsyzbot reported similar uninit-value issue related to bearer names [2]. The\nroot cause of this issue is that a non-null-terminated bearer name was\npassed. This patch also resolved this issue.(CVE-2023-52845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds\r\n\r\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error.(CVE-2023-52878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUSB: core: Fix deadlock in usb_deauthorize_interface()\r\n\r\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\r\n\r\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected.  As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete.  But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\r\n\r\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\r\n\r\nReported-and-tested by: Yue Sun <samsun1006219@gmail.com>\nReported by: xingwei lee <xrivendell7@gmail.com>(CVE-2024-26934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\r\n\r\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\r\n\r\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.(CVE-2024-27020)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\r\n\r\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\r\n\r\n[  472.074580] ==================================================================\n[  472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[  472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[  472.075308]\n[  472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[  472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.075308] Workqueue: events l2cap_chan_timeout\n[  472.075308] Call Trace:\n[  472.075308]  <TASK>\n[  472.075308]  dump_stack_lvl+0x137/0x1a0\n[  472.075308]  print_report+0x101/0x250\n[  472.075308]  ? __virt_addr_valid+0x77/0x160\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_report+0x139/0x170\n[  472.075308]  ? mutex_lock+0x68/0xc0\n[  472.075308]  kasan_check_range+0x2c3/0x2e0\n[  472.075308]  mutex_lock+0x68/0xc0\n[  472.075308]  l2cap_chan_timeout+0x181/0x300\n[  472.075308]  process_one_work+0x5d2/0xe00\n[  472.075308]  worker_thread+0xe1d/0x1660\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  kthread+0x2b7/0x350\n[  472.075308]  ? pr_cont_work+0x5e0/0x5e0\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork+0x4d/0x80\n[  472.075308]  ? kthread_blkcg+0xd0/0xd0\n[  472.075308]  ret_from_fork_asm+0x11/0x20\n[  472.075308]  </TASK>\n[  472.075308] ==================================================================\n[  472.094860] Disabling lock debugging due to kernel taint\n[  472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[  472.096136] #PF: supervisor write access in kernel mode\n[  472.096136] #PF: error_code(0x0002) - not-present page\n[  472.096136] PGD 0 P4D 0\n[  472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[  472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G    B              6.9.0-rc5-00356-g78c0094a146b #36\n[  472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[  472.096136] Workqueue: events l2cap_chan_timeout\n[  472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[  472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[  472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[  472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[  472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[  472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[  472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[  472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[  472.096136] FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[  472.096136] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[  472.096136] Call Trace:\n[  472.096136]  <TASK>\n[  472.096136]  ? __die_body+0x8d/0xe0\n[  472.096136]  ? page_fault_oops+0x6b8/0x9a0\n[  472.096136]  ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[  472.096136]  ? do_user_addr_fault+0x1027/0x1340\n[  472.096136]  ? _printk+0x7a/0xa0\n[  472.096136]  ? mutex_lock+0x68/0xc0\n[  472.096136]  ? add_taint+0x42/0xd0\n[  472.096136]  ? exc_page_fault+0x6a/0x1b0\n[  472.096136]  ? asm_exc_page_fault+0x26/0x30\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  ? mutex_lock+0x88/0xc0\n[  472.096136]  ? mutex_lock+0x75/0xc0\n[  472.096136]  l2cap_chan_timeo\n---truncated---(CVE-2024-27399)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\r\n\r\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.(CVE-2024-27401)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\r\n\r\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.(CVE-2024-35789)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd/dm-raid: don't call md_reap_sync_thread() directly\r\n\r\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\r\n\r\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\r\n\r\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.(CVE-2024-35808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: udc: remove warning when queue disabled ep\r\n\r\nIt is possible trigger below warning message from mass storage function,\r\n\r\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\r\n\r\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\r\n\r\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().(CVE-2024-35822)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvt: fix unicode buffer corruption when deleting characters\r\n\r\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.(CVE-2024-35823)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/mm/pat: fix VM_PAT handling in COW mappings\r\n\r\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios.  Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\r\n\r\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\r\n\r\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\r\n\r\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\r\n\r\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode.  We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\r\n\r\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\r\n\r\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\r\n\r\n<--- C reproducer --->\n #include <stdio.h>\n #include <sys/mman.h>\n #include <unistd.h>\n #include <liburing.h>\r\n\r\n int main(void)\n {\n         struct io_uring_params p = {};\n         int ring_fd;\n         size_t size;\n         char *map;\r\n\r\n         ring_fd = io_uring_setup(1, &p);\n         if (ring_fd < 0) {\n                 perror(\"io_uring_setup\");\n                 return 1;\n         }\n         size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\r\n\r\n         /* Map the submission queue ring MAP_PRIVATE */\n         map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n                    ring_fd, IORING_OFF_SQ_RING);\n         if (map == MAP_FAILED) {\n                 perror(\"mmap\");\n                 return 1;\n         }\r\n\r\n         /* We have at least one page. Let's COW it. */\n         *map = 0;\n         pause();\n         return 0;\n }\n<--- C reproducer --->\r\n\r\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[  301.552930] ------------[ cut here ]------------\n[  301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[  301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[  301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[  301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[  301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[  301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[  301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[  301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[  301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[  301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[  301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[  301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[  301.564186] FS:  0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[  301.564773] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[  301.565725] PKRU: 55555554\n[  301.565944] Call Trace:\n[  301.566148]  <TASK>\n[  301.566325]  ? untrack_pfn+0xf4/0x100\n[  301.566618]  ? __warn+0x81/0x130\n[  301.566876]  ? untrack_pfn+0xf4/0x100\n[  3\n---truncated---(CVE-2024-35877)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nselinux: avoid dereference of garbage after mount failure\r\n\r\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\r\n\r\nWhile on it drop the never read static variable selinuxfs_mount.(CVE-2024-35904)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: prevent division by zero in blk_rq_stat_sum()\r\n\r\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Svace.(CVE-2024-35925)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Properly link new fs rules into the tree\r\n\r\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\r\n\r\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n   again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\r\n\r\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\r\n\r\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.(CVE-2024-35960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix memory leak in hci_req_sync_complete()\r\n\r\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.(CVE-2024-35978)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: CPPC: Use access_width over bit_width for system memory accesses\r\n\r\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\r\n\r\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n  dump_backtrace+0x0/0x1e0\n  show_stack+0x24/0x30\n  dump_stack_lvl+0x8c/0xb8\n  dump_stack+0x18/0x34\n  panic+0x16c/0x384\n  add_taint+0x0/0xc0\n  arm64_serror_panic+0x7c/0x90\n  arm64_is_fatal_ras_serror+0x34/0xa4\n  do_serror+0x50/0x6c\n  el1h_64_error_handler+0x40/0x74\n  el1h_64_error+0x7c/0x80\n  cppc_get_perf_caps+0xec/0x410\n  cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n  cpufreq_online+0x2dc/0xa30\n  cpufreq_add_dev+0xc0/0xd4\n  subsys_interface_register+0x134/0x14c\n  cpufreq_register_driver+0x1b0/0x354\n  cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n  do_one_initcall+0x50/0x250\n  do_init_module+0x60/0x27c\n  load_module+0x2300/0x2570\n  __do_sys_finit_module+0xa8/0x114\n  __arm64_sys_finit_module+0x2c/0x3c\n  invoke_syscall+0x78/0x100\n  el0_svc_common.constprop.0+0x180/0x1a0\n  do_el0_svc+0x84/0xa0\n  el0_svc+0x2c/0xc0\n  el0t_64_sync_handler+0xa4/0x12c\n  el0t_64_sync+0x1a4/0x1a8\r\n\r\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\r\n\r\nIf access_width is not set, then fall back to using bit_width.\r\n\r\n[ rjw: Subject and changelog edits, comment adjustments ](CVE-2024-35995)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\r\n\r\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\r\n\r\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\r\n\r\n[Feb 9 09:08] ------------[ cut here ]------------\n[  +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[  +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[  +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[  +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[  +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[  +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[  +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[  +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[  +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[  +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[  +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[  +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[  +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[  +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[  +0.000001] FS:  0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[  +0.000002] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[  +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[  +0.000001] PKRU: 55555554\n[  +0.000001] Call Trace:\n[  +0.000001]  <TASK>\n[  +0.000002]  ? __warn+0x80/0x130\n[  +0.000003]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  ? report_bug+0x195/0x1a0\n[  +0.000005]  ? handle_bug+0x3c/0x70\n[  +0.000003]  ? exc_invalid_op+0x14/0x70\n[  +0.000002]  ? asm_exc_invalid_op+0x16/0x20\n[  +0.000006]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  ? check_flush_dependency+0x10b/0x120\n[  +0.000002]  __flush_workqueue+0x126/0x3f0\n[  +0.000015]  ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[  +0.000056]  __ib_unregister_device+0x6a/0xb0 [ib_core]\n[  +0.000023]  ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[  +0.000020]  i40iw_close+0x4b/0x90 [irdma]\n[  +0.000022]  i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[  +0.000035]  i40e_service_task+0x126/0x190 [i40e]\n[  +0.000024]  process_one_work+0x174/0x340\n[  +0.000003]  worker_th\n---truncated---(CVE-2024-36004)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppdev: Add an error check in register_device\r\n\r\nIn register_device, the return value of ida_simple_get is unchecked,\nin witch ida_simple_get will use an invalid index value.\r\n\r\nTo address this issue, index should be checked after ida_simple_get. When\nthe index value is abnormal, a warning message should be printed, the port\nshould be dropped, and the value should be recorded.(CVE-2024-36015)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: core: delete incorrect free in pinctrl_enable()\r\n\r\nThe \"pctldev\" struct is allocated in devm_pinctrl_register_and_init().\nIt's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),\nso freeing it in pinctrl_enable() will lead to a double free.\r\n\r\nThe devm_pinctrl_dev_release() function frees the pindescs and destroys\nthe mutex as well.(CVE-2024-36940)",
+    "cves": [
+      {
+        "id": "CVE-2021-47355",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47355",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2021-47401",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47401",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2021-47477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47477",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2021-47545",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47545",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2021-47549",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47549",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36940",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36940",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1582": {
+    "id": "openEuler-SA-2022-1582",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1582",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nxmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.(CVE-2019-19956)\r\n\r\nvalid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.(CVE-2022-23308)",
+    "cves": [
+      {
+        "id": "CVE-2022-23308",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1080": {
+    "id": "openEuler-SA-2024-1080",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1080",
+    "title": "An update for python-fonttools is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "FontTools is a library for manipulating fonts, written in Python. The project includes the TTX tool, that can convert TrueType and OpenType fonts to and from an XML text format, which is also called TTX. It supports TrueType, OpenType, AFM and to an extent Type 1 and some Mac-specific formats. The project has an MIT open-source licence.\r\n\r\nSecurity Fix(es):\r\n\r\nfontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.(CVE-2023-45139)",
+    "cves": [
+      {
+        "id": "CVE-2023-45139",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45139",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1353": {
+    "id": "openEuler-SA-2023-1353",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1353",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel image for RaspberryPi.\n\nSecurity Fix(es):\n\nAn issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.(CVE-2023-31084)\n\nAn issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.(CVE-2023-33288)\n\nA use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.(CVE-2023-2985)",
+    "cves": [
+      {
+        "id": "CVE-2023-2985",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2985",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1882": {
+    "id": "openEuler-SA-2022-1882",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1882",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.(CVE-2022-2923)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0246.(CVE-2022-2946)\r\n\r\nNULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.(CVE-2022-2980)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0286.(CVE-2022-3016)",
+    "cves": [
+      {
+        "id": "CVE-2022-3016",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3016",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2005": {
+    "id": "openEuler-SA-2022-2005",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2005",
+    "title": "An update for mailman is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is GNU Mailman, a mailing list management system distributed under the terms of the GNU General Public License (GPL) version 3 or later.  The name of this software is spelled 'Mailman' with a leading capital 'M' but with a lower case second `m'.  Any other spelling is incorrect. Security Fix(es):\r\n\r\nCheck the REST API password in a way that is resistant to timing attacks. Using basic string equality is vulnerable to timing attacks as it will short circuit at the first wrong character. Using hmac.compare_digest avoids that issue and will take the same time, regardless of whether the value is correct or not. This is only exploitable if an attacker can talk directly to the REST API, which by default is bound to localhost.\r\n\r\nReference:\r\n\r\nhttps://bugs.gentoo.org/828115(CVE-2021-34337)",
+    "cves": [
+      {
+        "id": "CVE-2021-34337",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34337",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1402": {
+    "id": "openEuler-SA-2024-1402",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1402",
+    "title": "An update for nodejs-qs is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior (and twice as fast). Used by express, connect and others.\r\n\r\nSecurity Fix(es):\r\n\r\nqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).(CVE-2022-24999)",
+    "cves": [
+      {
+        "id": "CVE-2022-24999",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2057": {
+    "id": "openEuler-SA-2022-2057",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2057",
+    "title": "An update for expat is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "This package provides with static libraries and  header files for developing with expat.\r\n\r\nSecurity Fix(es):\r\n\r\nxmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235)\r\n\r\nxmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.(CVE-2022-25236)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.(CVE-2022-25314)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.(CVE-2022-25313)\r\n\r\nIn Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.(CVE-2022-25315)",
+    "cves": [
+      {
+        "id": "CVE-2022-25315",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1426": {
+    "id": "openEuler-SA-2023-1426",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1426",
+    "title": "An update for ncurses is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The ncurses (new curses) library is a free software emulation of curses in System V Release 4.0 (SVr4), and more. It uses terminfo format, supports pads and color and multiple highlights and forms characters and function-key mapping, and has all the other SVr4-curses enhancements over BSD curses. SVr4 curses became the basis of X/Open Curses.\n\nSecurity Fix(es):\n\nncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.(CVE-2023-29491)",
+    "cves": [
+      {
+        "id": "CVE-2023-29491",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1209": {
+    "id": "openEuler-SA-2023-1209",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1209",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).(CVE-2023-23004)\r\n\r\nA use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\") not applied yet, then kernel could be affected.(CVE-2023-1249)\r\n\r\nA null pointer dereference issue was found in the unix protocol in net/unix/diag.c in Linux before 6.0. In unix_diag_get_exact, the newly allocated skb does not have sk, leading to null pointer. A local user could use this flaw to crash the system or potentially cause a denial of service.\r\n\r\nReference:\nhttps://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/\nhttps://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/\nhttps://lore.kernel.org/netdev/20221127012412.37969-3-kuniyu@amazon.com/T/(CVE-2023-28327)\r\n\r\n\nKernel: A denial of service issue in  az6027 driver in\ndrivers/media/usb/dev-usb/az6027.c(CVE-2023-28328)\r\n\r\nA slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.(CVE-2023-1380)\r\n\r\ndo_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).(CVE-2023-28466)\r\n\r\nIn the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.(CVE-2022-48424)\r\n\r\nIn the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-bounds write may occur.(CVE-2022-48423)\r\n\r\nIn the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs.(CVE-2022-48425)\r\n\r\nA flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.(CVE-2023-1513)\r\n\r\nUse After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.(CVE-2023-1281)",
+    "cves": [
+      {
+        "id": "CVE-2023-1281",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1281",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1519": {
+    "id": "openEuler-SA-2023-1519",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1519",
+    "title": "An update for python3 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\n\nSecurity Fix(es):\n\nDirectory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.(CVE-2007-4559)",
+    "cves": [
+      {
+        "id": "CVE-2007-4559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1628": {
+    "id": "openEuler-SA-2023-1628",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1628",
+    "title": "An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "**GitPython*is a python library used to interact with Git repositories.GitPython provides object model read and write access to your git repository. Access repository information conveniently, alter the index directly, handle remotes, or go down to low-level object database access with big-files support.With the new object database abstraction added in 0.3, its even possible to implement your own storage mechanisms, the currently available implementations are 'cgit' and pure python, which is the default.Documentation The latest documentation can be found here: As this version of GitPython depends on GitDB, which in turn needs smmap to work, installation is a bit more involved if you do a manual installation, instead of using pip.\r\n\r\nSecurity Fix(es):\r\n\r\n GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.(CVE-2023-41040)",
+    "cves": [
+      {
+        "id": "CVE-2023-41040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41040",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1907": {
+    "id": "openEuler-SA-2023-1907",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1907",
+    "title": "An update for netty is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Asynchronous event-driven network application Java framework.\r\n\r\nSecurity Fix(es):\r\n\r\nNetty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881)",
+    "cves": [
+      {
+        "id": "CVE-2022-41881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1508": {
+    "id": "openEuler-SA-2024-1508",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1508",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.(CVE-2024-28835)",
+    "cves": [
+      {
+        "id": "CVE-2024-28835",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28835",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1623": {
+    "id": "openEuler-SA-2024-1623",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1623",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to a possible `NULL` access and crash. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32661)",
+    "cves": [
+      {
+        "id": "CVE-2024-32661",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32661",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1373": {
+    "id": "openEuler-SA-2023-1373",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1373",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\n\nSecurity Fix(es):\n\nXRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file(CVE-2023-2952)\n\nDue to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark(CVE-2023-0667)",
+    "cves": [
+      {
+        "id": "CVE-2023-0667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0667",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1180": {
+    "id": "openEuler-SA-2021-1180",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1180",
+    "title": "An update for rubygem-actionview is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Simple, battle-tested conventions and helpers for building web pages.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View s translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.(CVE-2020-15169)",
+    "cves": [
+      {
+        "id": "CVE-2020-15169",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15169",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1169": {
+    "id": "openEuler-SA-2021-1169",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1169",
+    "title": "An update for rubygem-puma is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.(CVE-2020-11076)\r\n\r\nIn Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.(CVE-2020-11077)",
+    "cves": [
+      {
+        "id": "CVE-2020-11077",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11077",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1279": {
+    "id": "openEuler-SA-2021-1279",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1279",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nthere was a null pointer dereference in llcp_sock_getname in net/nfc/llcp_sock.c and reproduced it in linux-5.13.0-rc2. An unprivileged user can trigger this bug and cause denial of service.  #Root Cause After creating an nfc socket, bind the address by calling bind(), if LLCP_SAP_MAX was used as SAP, it cause the bind() failed and there would set llcp_sock->service_name  as NULL.  Although bind() returns an error here, it does not affect calling other socket functions. sock_getname() would invoke llcp_sock_getname(), llcp_sock_getname copied service  name from llcp_sock->service_name by memcpy but llcp_sock->service_name is NULL.  #Fix the patch for this issue: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=4ac06a1e013c(CVE-2021-3587)\r\n\r\nAn issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c.(CVE-2020-36385)\r\n\r\nThe vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.(CVE-2020-28097)\r\n\r\nIn kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.(CVE-2021-33624)\r\n\r\nkernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument.(CVE-2021-35039)\r\n\r\nA heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space(CVE-2021-22555)\r\n\r\nA flaw use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user detaches bluetooth dongle or other way triggers unregister bluetooth device event. A local user could use this flaw to crash the system or escalate their privileges on the system.(CVE-2021-3573)\r\n\r\nImproper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.(CVE-2021-0129)\r\n\r\nnet/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.(CVE-2021-34693)\r\n\r\nAn issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.(CVE-2020-36387)\r\n\r\nA flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges.(CVE-2021-3609)\r\n\r\nIt was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.(CVE-2021-3600)",
+    "cves": [
+      {
+        "id": "CVE-2021-3600",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3600",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1860": {
+    "id": "openEuler-SA-2023-1860",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1860",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.(CVE-2023-39197)\r\n\r\nA null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.(CVE-2023-6176)",
+    "cves": [
+      {
+        "id": "CVE-2023-6176",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6176",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1249": {
+    "id": "openEuler-SA-2024-1249",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1249",
+    "title": "An update for atril is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
+    "cves": [
+      {
+        "id": "CVE-2023-52076",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1676": {
+    "id": "openEuler-SA-2024-1676",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1676",
+    "title": "An update for mozjs78 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "SpiderMonkey JavaScript library\r\n\r\nSecurity Fix(es):\r\n\r\nPorts that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29946)",
+    "cves": [
+      {
+        "id": "CVE-2021-29946",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29946",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1066": {
+    "id": "openEuler-SA-2024-1066",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1066",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1656": {
+    "id": "openEuler-SA-2022-1656",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1656",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\n\nSecurity Fix(es):\n\nUse after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.(CVE-2022-1154)\n\nUse after free in append_command in GitHub repository vim/vim prior to 8.2. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution(CVE-2022-1616)",
+    "cves": [
+      {
+        "id": "CVE-2022-1616",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1616",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1951": {
+    "id": "openEuler-SA-2022-1951",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1951",
+    "title": "An update for linux-sgx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification.\r\n\r\nSecurity Fix(es):\r\n\r\nThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292)",
+    "cves": [
+      {
+        "id": "CVE-2022-1292",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1169": {
+    "id": "openEuler-SA-2023-1169",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1169",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nOn Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code. This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition. For a description of this vulnerability, see the ClamAV blog [\"https://blog.clamav.net/\"].(CVE-2023-20032)\r\n\r\nOn Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.(CVE-2023-20052)",
+    "cves": [
+      {
+        "id": "CVE-2023-20052",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20052",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1432": {
+    "id": "openEuler-SA-2021-1432",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1432",
+    "title": "An update for redis6 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets.\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.(CVE-2021-32626)",
+    "cves": [
+      {
+        "id": "CVE-2021-32626",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32626",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1564": {
+    "id": "openEuler-SA-2023-1564",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1564",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development.Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.(CVE-2022-48522)",
+    "cves": [
+      {
+        "id": "CVE-2022-48522",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1580": {
+    "id": "openEuler-SA-2024-1580",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1580",
+    "title": "An update for kubernetes is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\r\n\r\n(CVE-2024-3177)",
+    "cves": [
+      {
+        "id": "CVE-2024-3177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1757": {
+    "id": "openEuler-SA-2024-1757",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1757",
+    "title": "An update for giflib is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif2rgb.c has a heap-based buffer over-read.(CVE-2020-23922)\r\n\r\nBuffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c(CVE-2023-48161)",
+    "cves": [
+      {
+        "id": "CVE-2023-48161",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48161",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1121": {
+    "id": "openEuler-SA-2021-1121",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1121",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nThe OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).(CVE-2021-23841)\r\n\r\nCalls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).(CVE-2021-23840)",
+    "cves": [
+      {
+        "id": "CVE-2021-23840",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23840",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1085": {
+    "id": "openEuler-SA-2021-1085",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1085",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nlibfreerdp/gdi/region.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Integer Overflow.(CVE-2020-11523)",
+    "cves": [
+      {
+        "id": "CVE-2020-11523",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11523",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1810": {
+    "id": "openEuler-SA-2023-1810",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1810",
+    "title": "An update for qt is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.(CVE-2023-34410)",
+    "cves": [
+      {
+        "id": "CVE-2023-34410",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34410",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2100": {
+    "id": "openEuler-SA-2022-2100",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2100",
+    "title": "An update for bash is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Bash is the GNU Project's shell. Bash is the Bourne Again SHell. Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the bash package, where a heap-buffer overflow can occur in valid_parameter_transform. This issue may lead to memory problems.(CVE-2022-3715)",
+    "cves": [
+      {
+        "id": "CVE-2022-3715",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3715",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1740": {
+    "id": "openEuler-SA-2022-1740",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1740",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 8.2.(CVE-2022-2126)\r\n\r\nBuffer Over-read in GitHub repository vim/vim prior to 8.2.(CVE-2022-2175)\r\n\r\nOut-of-bounds Read in GitHub repository vim/vim prior to 8.2.(CVE-2022-2206)\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-2125)",
+    "cves": [
+      {
+        "id": "CVE-2022-2125",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2125",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1529": {
+    "id": "openEuler-SA-2022-1529",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1529",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nChecks in Samba AD DC to prevent alias SPNs may be bypassed, enabling users who can write to the account's servicePrincipalName attribute to impersonate the service.(CVE-2022-0336)",
+    "cves": [
+      {
+        "id": "CVE-2022-0336",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0336",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1857": {
+    "id": "openEuler-SA-2022-1857",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1857",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nGo before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.(CVE-2022-29526)\r\n\r\nIncorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.(CVE-2022-29804)",
+    "cves": [
+      {
+        "id": "CVE-2022-29804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29804",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1093": {
+    "id": "openEuler-SA-2024-1093",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1093",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553)\r\n\r\nA vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.(CVE-2024-0567)",
+    "cves": [
+      {
+        "id": "CVE-2024-0567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1224": {
+    "id": "openEuler-SA-2024-1224",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1224",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+    "cves": [
+      {
+        "id": "CVE-2024-0727",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1783": {
+    "id": "openEuler-SA-2023-1783",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1783",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().(CVE-2022-44033)\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.(CVE-2022-45919)\r\n\r\nVUL-0: CVE-2023-2593: kernel: Linux Kernel ksmbd Memory Exhaustion Denial-of-Service Vulnerability(CVE-2023-2593)\r\n\r\nThere is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.(CVE-2023-2898)\r\n\r\nAn issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.(CVE-2023-31083)\r\n\r\nAn issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.(CVE-2023-31085)\r\n\r\nVUL-0: CVE-2023-32246: kernel: Linux Kernel ksmbd RCU Callback Race Condition Local Privilege Escalation Vulnerability(CVE-2023-32246)\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.(CVE-2023-32254)\r\n\r\nClosing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable.\nA (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device.(CVE-2023-34324)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39189)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.(CVE-2023-39192)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39193)\r\n\r\nA flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.(CVE-2023-42754)\r\n\r\nAn issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.(CVE-2023-45871)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\r\n\r\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\r\n\r\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\r\n\r\n(CVE-2023-5717)",
+    "cves": [
+      {
+        "id": "CVE-2023-5717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1659": {
+    "id": "openEuler-SA-2023-1659",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1659",
+    "title": "An update for mosquitto is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino.\r\n\r\nSecurity Fix(es):\r\n\r\nThe broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.(CVE-2023-28366)",
+    "cves": [
+      {
+        "id": "CVE-2023-28366",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28366",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1712": {
+    "id": "openEuler-SA-2024-1712",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1712",
+    "title": "An update for mariadb is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and  8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-22084)",
+    "cves": [
+      {
+        "id": "CVE-2023-22084",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22084",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1149": {
+    "id": "openEuler-SA-2023-1149",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1149",
+    "title": "An update for amanda is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar, dump) for backup and can back up a large number of workstations running multiple versions of Unix/Mac OS X/Linux/Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Amanda. The `runtar` SUID binary executes /usr/bin/tar as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user \"amandabackup\" to root.(CVE-2022-37705)\r\n\r\nA flaw was found in Amanda. The `rundump` SUID binary executes /usr/sbin/dump as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user \"amandabackup\" to root.(CVE-2022-37704)",
+    "cves": [
+      {
+        "id": "CVE-2022-37704",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37704",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1982": {
+    "id": "openEuler-SA-2022-1982",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1982",
+    "title": "An update for bind is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nBy spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38177)\r\n\r\nBy spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.(CVE-2022-38178)\r\n\r\nBy flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.(CVE-2022-2795)\r\n\r\nThe underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.(CVE-2022-2881)\r\n\r\nAn attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.(CVE-2022-2906)",
+    "cves": [
+      {
+        "id": "CVE-2022-2906",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2906",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1525": {
+    "id": "openEuler-SA-2024-1525",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1525",
+    "title": "An update for youker-assistant is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Integrated tool to aid in routine system maintenance tasks Kylin Assistant is a tool designed to help Ubuntu and Ubuntu Kylin desktop users manage and maintain many aspects of their working environment conveniently in a single application, providing a consistent user experience.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS. Affected by this vulnerability is the function adjust_cpufreq_scaling_governer. The manipulation leads to os command injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.4.13 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226099.(CVE-2023-2091)",
+    "cves": [
+      {
+        "id": "CVE-2023-2091",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2091",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1805": {
+    "id": "openEuler-SA-2022-1805",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1805",
+    "title": "An update for targetcli is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Targetcli is an administration tool for managing storage targets using the kernel LIO core target and compatible target fabric modules.\r\n\r\nSecurity Fix(es):\r\n\r\nOpen-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files).(CVE-2020-13867)",
+    "cves": [
+      {
+        "id": "CVE-2020-13867",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13867",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1420": {
+    "id": "openEuler-SA-2024-1420",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1420",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nQEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.(CVE-2024-24474)",
+    "cves": [
+      {
+        "id": "CVE-2024-24474",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24474",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1454": {
+    "id": "openEuler-SA-2023-1454",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1454",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\n\nSecurity Fix(es):\n\naddBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22822)\n\nbuild_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22823)\n\ndefineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22824)",
+    "cves": [
+      {
+        "id": "CVE-2022-22824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1695": {
+    "id": "openEuler-SA-2024-1695",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1695",
+    "title": "An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\r\n\r\nSecurity Fix(es):\r\n\r\naiosmptd is  a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.(CVE-2024-34083)",
+    "cves": [
+      {
+        "id": "CVE-2024-34083",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34083",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1700": {
+    "id": "openEuler-SA-2022-1700",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1700",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.(CVE-2022-28739)\r\n\r\nA double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.(CVE-2022-28738)",
+    "cves": [
+      {
+        "id": "CVE-2022-28738",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28738",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1433": {
+    "id": "openEuler-SA-2023-1433",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1433",
+    "title": "An update for zlib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\ninftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\r\n\r\nThe inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.(CVE-2016-9842)\r\n\r\nCVE-2016-9840:inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.  CVE-2016-9841:inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.  CVE-2016-9842:The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.  CVE-2016-9843:The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.(CVE-2016-9843)",
+    "cves": [
+      {
+        "id": "CVE-2016-9843",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9843",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1927": {
+    "id": "openEuler-SA-2023-1927",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1927",
+    "title": "An update for perl is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \\p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.(CVE-2023-47100)",
+    "cves": [
+      {
+        "id": "CVE-2023-47100",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47100",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1838": {
+    "id": "openEuler-SA-2024-1838",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1838",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9170/1: fix panic when kasan and kprobe are enabled\r\n\r\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\r\n\r\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\r\n\r\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n<cap_capable>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108    ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144]  ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108]  ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 <emulate_ldr>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60     ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc <emulate_ldr+0x38>\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 <emulate_ldr+0xac>\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64     ; 0x40\n......\r\n\r\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c\nr10: 00000000  r9 : c30897f4  r8 : ecd63cd4\nr7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98\nr3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008\nFlags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user\nControl: 32c5387d  Table: 2d546400  DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix use-after-free after failure to create a snapshot\r\n\r\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction's list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto 'fail' label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\r\n\r\n1) We allocated the pending snapshot and added it to the transaction's\n   list of pending snapshots;\r\n\r\n2) We call btrfs_commit_transaction(), and it fails either at the first\n   call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n   In both cases, we don't abort the transaction and we release our\n   transaction handle. We jump to the 'fail' label and free the pending\n   snapshot structure. We return with the pending snapshot still in the\n   transaction's list;\r\n\r\n3) Another task commits the transaction. This time there's no error at\n   all, and then during the transaction commit it accesses a pointer\n   to the pending snapshot structure that the snapshot creation task\n   has already freed, resulting in a user-after-free.\r\n\r\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\r\n\r\n  fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list\r\n\r\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction's list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore.(CVE-2022-48733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Avoid field-overflowing memcpy()\r\n\r\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\r\n\r\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\r\n\r\nWe were doing:\r\n\r\n\t#define ETH_HLEN  14\n\t#define VLAN_HLEN  4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n        struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;\n        struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\r\n\r\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\r\n\r\nstruct mlx5e_tx_wqe {\n        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */\n        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */\n        struct mlx5_wqe_data_seg   data[];               /*    32     0 */\r\n\r\n        /* size: 32, cachelines: 1, members: 3 */\n        /* last cacheline: 32 bytes */\n};\r\n\r\nstruct mlx5_wqe_eth_seg {\n        u8                         swp_outer_l4_offset;  /*     0     1 */\n        u8                         swp_outer_l3_offset;  /*     1     1 */\n        u8                         swp_inner_l4_offset;  /*     2     1 */\n        u8                         swp_inner_l3_offset;  /*     3     1 */\n        u8                         cs_flags;             /*     4     1 */\n        u8                         swp_flags;            /*     5     1 */\n        __be16                     mss;                  /*     6     2 */\n        __be32                     flow_table_metadata;  /*     8     4 */\n        union {\n                struct {\n                        __be16     sz;                   /*    12     2 */\n                        u8         start[2];             /*    14     2 */\n                } inline_hdr;                            /*    12     4 */\n                struct {\n                        __be16     type;                 /*    12     2 */\n                        __be16     vlan_tci;             /*    14     2 */\n                } insert;                                /*    12     4 */\n                __be32             trailer;              /*    12     4 */\n        };                                               /*    12     4 */\r\n\r\n        /* size: 16, cachelines: 1, members: 9 */\n        /* last cacheline: 16 bytes */\n};\r\n\r\nstruct mlx5_wqe_data_seg {\n        __be32                     byte_count;           /*     0     4 */\n        __be32                     lkey;                 /*     4     4 */\n        __be64                     addr;                 /*     8     8 */\r\n\r\n        /* size: 16, cachelines: 1, members: 3 */\n        /* last cacheline: 16 bytes */\n};\r\n\r\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\r\n\r\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).(CVE-2022-48744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\r\n\r\nThe below warning is splatting during guest reboot.\r\n\r\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n  CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G          I       5.17.0-rc1+ #5\n  RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_vcpu_ioctl+0x279/0x710 [kvm]\n   __x64_sys_ioctl+0x83/0xb0\n   do_syscall_64+0x3b/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n  RIP: 0033:0x7fd39797350b\r\n\r\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC.(CVE-2022-48765)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: lgdt3306a: Add a check against null-pointer-def\r\n\r\nThe driver should check whether the client provides the platform_data.\r\n\r\nThe following log reveals it:\r\n\r\n[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[   29.612820] Call Trace:\n[   29.613030]  <TASK>\n[   29.613201]  dump_stack_lvl+0x56/0x6f\n[   29.613496]  ? kmemdup+0x30/0x40\n[   29.613754]  print_report.cold+0x494/0x6b7\n[   29.614082]  ? kmemdup+0x30/0x40\n[   29.614340]  kasan_report+0x8a/0x190\n[   29.614628]  ? kmemdup+0x30/0x40\n[   29.614888]  kasan_check_range+0x14d/0x1d0\n[   29.615213]  memcpy+0x20/0x60\n[   29.615454]  kmemdup+0x30/0x40\n[   29.615700]  lgdt3306a_probe+0x52/0x310\n[   29.616339]  i2c_device_probe+0x951/0xa90(CVE-2022-48772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\r\n\r\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52873)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\r\n\r\nIn the following sequence:\n  1) of_platform_depopulate()\n  2) of_overlay_remove()\r\n\r\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n  ERROR: memory leak, expected refcount 1 instead of 2 ...\r\n\r\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\r\n\r\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.(CVE-2024-35879)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_skbmod: prevent kernel-infoleak\r\n\r\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\r\n\r\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\r\n\r\nWe need to clear the structure before filling fields.\r\n\r\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  copy_to_iter include/linux/uio.h:196 [inline]\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n  __do_sys_recvfrom net/socket.c:2260 [inline]\n  __se_sys_recvfrom net/socket.c:2256 [inline]\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was stored to memory at:\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n  __sys_sendmsg net/socket.c:2667 [inline]\n  __do_sys_sendmsg net/socket.c:2676 [inline]\n  __se_sys_sendmsg net/socket.c:2674 [inline]\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was stored to memory at:\n  __nla_put lib/nlattr.c:1041 [inline]\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---(CVE-2024-35893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\r\n\r\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\r\n\r\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\r\n\r\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\r\n\r\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n   reference count drops to zero and kfree_rcu is scheduled.\r\n\r\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n   (in6_ifa_hold).\r\n\r\n4. The rcu is unlocked and the entry is freed.\r\n\r\n5. The freed entry is returned.\r\n\r\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\r\n\r\n[   41.506330] refcount_t: addition on 0; use-after-free.\n[   41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[   41.507413] Modules linked in: veth bridge stp llc\n[   41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[   41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[   41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[   41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[   41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[   41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[   41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[   41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[   41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[   41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[   41.514086] FS:  00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[   41.514726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[   41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[   41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[   41.516799] Call Trace:\n[   41.517037]  <TASK>\n[   41.517249]  ? __warn+0x7b/0x120\n[   41.517535]  ? refcount_warn_saturate+0xa5/0x130\n[   41.517923]  ? report_bug+0x164/0x190\n[   41.518240]  ? handle_bug+0x3d/0x70\n[   41.518541]  ? exc_invalid_op+0x17/0x70\n[   41.520972]  ? asm_exc_invalid_op+0x1a/0x20\n[   41.521325]  ? refcount_warn_saturate+0xa5/0x130\n[   41.521708]  ipv6_get_ifaddr+0xda/0xe0\n[   41.522035]  inet6_rtm_getaddr+0x342/0x3f0\n[   41.522376]  ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[   41.522758]  rtnetlink_rcv_msg+0x334/0x3d0\n[   41.523102]  ? netlink_unicast+0x30f/0x390\n[   41.523445]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[   41.523832]  netlink_rcv_skb+0x53/0x100\n[   41.524157]  netlink_unicast+0x23b/0x390\n[   41.524484]  netlink_sendmsg+0x1f2/0x440\n[   41.524826]  __sys_sendto+0x1d8/0x1f0\n[   41.525145]  __x64_sys_sendto+0x1f/0x30\n[   41.525467]  do_syscall_64+0xa5/0x1b0\n[   41.525794]  entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[   41.526213] RIP: 0033:0x7fbc4cfcea9a\n[   41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[   41.527942] RSP: 002b:00007f\n---truncated---(CVE-2024-35969)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nriscv: Fix TASK_SIZE on 64-bit NOMMU\r\n\r\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.(CVE-2024-35988)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\r\n\r\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\r\n\r\n    BUG: unable to handle page fault for address: 000000000002a2b8\n    #PF: supervisor write access in kernel mode\n    #PF: error_code(0x0002) - not-present page\n    PGD 1470e1067 P4D 0\n    Oops: 0002 [#1] PREEMPT SMP NOPTI\n    CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n    Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n    RIP: 0010:mutex_lock+0x2e/0x50\n    ...\n    Call Trace:\n    <TASK>\n    __die+0x24/0x70\n    page_fault_oops+0x82/0x160\n    do_user_addr_fault+0x65/0x6b0\n    __pfx___rdmsr_safe_on_cpu+0x10/0x10\n    exc_page_fault+0x7d/0x170\n    asm_exc_page_fault+0x26/0x30\n    mutex_lock+0x2e/0x50\n    mutex_lock+0x1e/0x50\n    perf_pmu_migrate_context+0x87/0x1f0\n    perf_event_cpu_offline+0x76/0x90 [idxd]\n    cpuhp_invoke_callback+0xa2/0x4f0\n    __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n    cpuhp_thread_fun+0x98/0x150\n    smpboot_thread_fn+0x27/0x260\n    smpboot_thread_fn+0x1af/0x260\n    __pfx_smpboot_thread_fn+0x10/0x10\n    kthread+0x103/0x140\n    __pfx_kthread+0x10/0x10\n    ret_from_fork+0x31/0x50\n    __pfx_kthread+0x10/0x10\n    ret_from_fork_asm+0x1b/0x30\n    <TASK>\r\n\r\nFix the issue by preventing the migration of the perf context to an\ninvalid target.(CVE-2024-35989)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/arm/malidp: fix a possible null pointer dereference\r\n\r\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix missing memory barrier in tls_init\r\n\r\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\r\n\r\nCPU0                               CPU1\n-----                              -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\r\n\r\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots)     -(2)\r\n\r\n                                   // In sock_common_setsockopt()\n                                   READ_ONCE(sk->sk_prot)->setsockopt()\r\n\r\n                                   // In tls_{setsockopt,getsockopt}()\n                                   ctx->sk_proto->setsockopt()    -(3)\r\n\r\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\r\n\r\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.(CVE-2024-36489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\r\n\r\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\r\n\r\n[    0.414355] Trying to free already-free IRQ 27\n[    0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[    0.414510] Modules linked in:\n[    0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[    0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[    0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[    0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[    0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[    0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[    0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[    0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[    0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[    0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[    0.414540] FS:  0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[    0.414540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[    0.414540] Call Trace:\n[    0.414540]  <TASK>\n[    0.414540]  ? __warn+0x80/0x120\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  ? report_bug+0x164/0x190\n[    0.414540]  ? handle_bug+0x3b/0x70\n[    0.414540]  ? exc_invalid_op+0x17/0x70\n[    0.414540]  ? asm_exc_invalid_op+0x1a/0x20\n[    0.414540]  ? free_irq+0x1a1/0x2d0\n[    0.414540]  vp_del_vqs+0xc1/0x220\n[    0.414540]  vp_find_vqs_msix+0x305/0x470\n[    0.414540]  vp_find_vqs+0x3e/0x1a0\n[    0.414540]  vp_modern_find_vqs+0x1b/0x70\n[    0.414540]  init_vqs+0x387/0x600\n[    0.414540]  virtnet_probe+0x50a/0xc80\n[    0.414540]  virtio_dev_probe+0x1e0/0x2b0\n[    0.414540]  really_probe+0xc0/0x2c0\n[    0.414540]  ? __pfx___driver_attach+0x10/0x10\n[    0.414540]  __driver_probe_device+0x73/0x120\n[    0.414540]  driver_probe_device+0x1f/0xe0\n[    0.414540]  __driver_attach+0x88/0x180\n[    0.414540]  bus_for_each_dev+0x85/0xd0\n[    0.414540]  bus_add_driver+0xec/0x1f0\n[    0.414540]  driver_register+0x59/0x100\n[    0.414540]  ? __pfx_virtio_net_driver_init+0x10/0x10\n[    0.414540]  virtio_net_driver_init+0x90/0xb0\n[    0.414540]  do_one_initcall+0x58/0x230\n[    0.414540]  kernel_init_freeable+0x1a3/0x2d0\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  kernel_init+0x1a/0x1c0\n[    0.414540]  ret_from_fork+0x31/0x50\n[    0.414540]  ? __pfx_kernel_init+0x10/0x10\n[    0.414540]  ret_from_fork_asm+0x1a/0x30\n[    0.414540]  </TASK>\r\n\r\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\r\n\r\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\r\n\r\n  BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/ctree.c:2620!\n  invalid opcode: 0000 [#1] PREEMPT SMP PTI\n  CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n  RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\r\n\r\nWith the following stack trace:\r\n\r\n  #0  btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n  #1  btrfs_drop_extents (fs/btrfs/file.c:411:4)\n  #2  log_one_extent (fs/btrfs/tree-log.c:4732:9)\n  #3  btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n  #4  btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n  #5  btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n  #6  btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n  #7  btrfs_sync_file (fs/btrfs/file.c:1933:8)\n  #8  vfs_fsync_range (fs/sync.c:188:9)\n  #9  vfs_fsync (fs/sync.c:202:9)\n  #10 do_fsync (fs/sync.c:212:9)\n  #11 __do_sys_fdatasync (fs/sync.c:225:9)\n  #12 __se_sys_fdatasync (fs/sync.c:223:1)\n  #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n  #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n  #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n  #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\r\n\r\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\r\n\r\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\r\n\r\n  >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n  leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n  leaf 33439744 flags 0x100000000000000\n  fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n  chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n          item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n                  generation 7 transid 9 size 8192 nbytes 8473563889606862198\n                  block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n                  sequence 204 flags 0x10(PREALLOC)\n                  atime 1716417703.220000000 (2024-05-22 15:41:43)\n                  ctime 1716417704.983333333 (2024-05-22 15:41:44)\n                  mtime 1716417704.983333333 (2024-05-22 15:41:44)\n                  otime 17592186044416.000000000 (559444-03-08 01:40:16)\n          item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n                  index 195 namelen 3 name: 193\n          item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n                  location key (0 UNKNOWN.0 0) type XATTR\n                  transid 7 data_len 1 name_len 6\n                  name: user.a\n                  data a\n          item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n                  generation 9 type 1 (regular)\n                  extent data disk byte 303144960 nr 12288\n                  extent data offset 0 nr 4096 ram 12288\n                  extent compression 0 (none)\n          item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 4096 nr 8192\n          item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n                  generation 9 type 2 (prealloc)\n                  prealloc data disk byte 303144960 nr 12288\n                  prealloc data offset 8192 nr 4096\n  ...\r\n\r\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\r\n\r\nHere is the state of \n---truncated---(CVE-2024-37354)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: Fix uninit-value in nci_rx_work\r\n\r\nsyzbot reported the following uninit-value access issue [1]\r\n\r\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.(CVE-2024-38381)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\r\n\r\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\r\n\r\nsh_css_pipe_load_binaries()\n  |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n  |\n  |-> sh_css_pipe_unload_binaries()\n        |-> unload_video_binaries()\r\n\r\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.(CVE-2024-38547)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Fix potential index out of bounds in color transformation function\r\n\r\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\r\n\r\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\r\n\r\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\r\n\r\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.(CVE-2024-38553)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issue of net_device\r\n\r\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\r\n\r\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\r\n\r\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\r\n\r\nUse snprintf() with buffer size instead of sprintf().\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38577)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: bcm - Fix pointer arithmetic\r\n\r\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential hang in nilfs_detach_log_writer()\r\n\r\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\r\n\r\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\r\n\r\nnilfs_detach_log_writer\n  nilfs_segctor_destroy\n    nilfs_segctor_kill_thread  --> Shut down log writer thread\n    flush_work\n      nilfs_iput_work_func\n        nilfs_dispose_list\n          iput\n            nilfs_evict_inode\n              nilfs_transaction_commit\n                nilfs_construct_segment (if inode needs sync)\n                  nilfs_segctor_sync  --> Attempt to synchronize with\n                                          log writer thread\n                           *** DEADLOCK ***\r\n\r\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\r\n\r\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix use-after-free of timer for log writer thread\r\n\r\nPatch series \"nilfs2: fix log writer related issues\".\r\n\r\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis.  Details are described in each commit log.\r\n\r\n\nThis patch (of 3):\r\n\r\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\r\n\r\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\r\n\r\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/hns: Modify the print level of CQE error\r\n\r\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.(CVE-2024-38590)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\r\n\r\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\r\n\r\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\r\n\r\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tvalue changed: 0x01 -> 0x03\r\n\r\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\r\n\r\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in(CVE-2024-38596)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nax25: Fix reference count leak issues of ax25_dev\r\n\r\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\r\n\r\nMemory leak issue in ax25_addr_ax25dev():\r\n\r\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\r\n\r\nMemory leak issues in ax25_dev_device_down():\r\n\r\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\r\n\r\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.(CVE-2024-38602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()\r\n\r\npci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()\nfails, the irq vector is not freed, which leads to a memory leak.\r\n\r\nReplace the devm_add_action with devm_add_action_or_reset to ensure\nthe irq vector can be destroyed when it fails.(CVE-2024-38603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Check 'folio' pointer for NULL\r\n\r\nIt can be NULL if bmap is called.(CVE-2024-38625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: max3100: Update uart_driver_registered on driver removal\r\n\r\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\r\n\r\n  max3100 spi-PRP0001:01: max3100_probe: adding port 0\n  BUG: kernel NULL pointer dereference, address: 0000000000000408\n  ...\n  RIP: 0010:serial_core_register_port+0xa0/0x840\n  ...\n   max3100_probe+0x1b6/0x280 [max3100]\n   spi_probe+0x8d/0xb0\r\n\r\nUpdate the actual state so next time UART driver will be registered\nagain.\r\n\r\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngreybus: lights: check return of get_channel_from_mode\r\n\r\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\r\n\r\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\r\n\r\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\r\n\r\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/9p: fix uninit-value in p9_client_rpc()\r\n\r\nSyzbot with the help of KMSAN reported the following error:\r\n\r\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\r\n\r\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-39362)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\r\n\r\nsyzbot reports a kernel bug as below:\r\n\r\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\r\n\r\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.(CVE-2024-39467)",
+    "cves": [
+      {
+        "id": "CVE-2024-39467",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1462": {
+    "id": "openEuler-SA-2023-1462",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1462",
+    "title": "An update for libtiff is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38288)\r\n\r\nMultiple potential integer overflow in tiffcp.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38289)",
+    "cves": [
+      {
+        "id": "CVE-2023-38289",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38289",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1857": {
+    "id": "openEuler-SA-2023-1857",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1857",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was found in the tiffcp utility distributed by the libtiff package. Processing a crafted TIFF file may cause a heap-based buffer overflow, resulting in an application crash.\r\n\r\nReference:\nhttps://gitlab.com/libtiff/libtiff/-/issues/606(CVE-2023-6228)",
+    "cves": [
+      {
+        "id": "CVE-2023-6228",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6228",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1575": {
+    "id": "openEuler-SA-2023-1575",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1575",
+    "title": "An update for gawk is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "The gawk package is the GNU implementation of awk. The awk utility interprets a special-purpose programming language that makes it possible to handle simple data-reformatting jobs with just a few lines of code.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap out of bound read issue exists in builtin.c of gawk prior to version 5.1.1. The array \"the_args\" takes an unsafe index \"val\", while it does not validate the index to ensure the index refers to a valid position in the array (e.g., exceedingly large or negative). The vulnerability can cause crash of the software and might be used by attackers to read sensitive information.\r\n\r\nhttps://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00000.html\nhttps://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html\nhttps://fossies.org/linux/gawk/ChangeLog#470 (Line: 470-475)(CVE-2023-4156)",
+    "cves": [
+      {
+        "id": "CVE-2023-4156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4156",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1366": {
+    "id": "openEuler-SA-2023-1366",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1366",
+    "title": "An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. \r\n\r\nSecurity Fix(es):\r\n\r\npgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.(CVE-2022-41946)",
+    "cves": [
+      {
+        "id": "CVE-2022-41946",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1260": {
+    "id": "openEuler-SA-2021-1260",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1260",
+    "title": "An update for python-urllib3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.(CVE-2021-33503)",
+    "cves": [
+      {
+        "id": "CVE-2021-33503",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33503",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1375": {
+    "id": "openEuler-SA-2021-1375",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1375",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of Oracle and/or its affiliates\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2342)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2367)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).(CVE-2021-2374)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2372)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2399)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H).(CVE-2021-2417)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2387)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2402)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2384)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2425)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2437)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2390)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2370)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2418)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2410)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2383)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-2385)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2389)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2426)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2427)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2441)",
+    "cves": [
+      {
+        "id": "CVE-2021-2441",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2441",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1236": {
+    "id": "openEuler-SA-2021-1236",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1236",
+    "title": "An update for rubygem-actionpack is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nA possible information disclosure/unintended method execution vulnerability in Action Pack >= 2.0.0 when using the redirect_to or polymorphic_urlhelper with untrusted user input.(CVE-2021-22885)",
+    "cves": [
+      {
+        "id": "CVE-2021-22885",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22885",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1901": {
+    "id": "openEuler-SA-2023-1901",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1901",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.(CVE-2023-48706)",
+    "cves": [
+      {
+        "id": "CVE-2023-48706",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1227": {
+    "id": "openEuler-SA-2021-1227",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1227",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\nSecurity Fix(es):\n\nA flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3546)\n\nAn information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.(CVE-2021-3545)\n\nSeveral memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.(CVE-2021-3544)",
+    "cves": [
+      {
+        "id": "CVE-2021-3544",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3544",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1297": {
+    "id": "openEuler-SA-2023-1297",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1297",
+    "title": "An update for cloud-init is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Cloud-init is the defacto multi-distribution package that handles early initialization of a cloud instance.\r\n\r\nSecurity Fix(es):\r\n\r\nSensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.(CVE-2023-1786)",
+    "cves": [
+      {
+        "id": "CVE-2023-1786",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1786",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1344": {
+    "id": "openEuler-SA-2021-1344",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1344",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3770)",
+    "cves": [
+      {
+        "id": "CVE-2021-3770",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3770",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2139": {
+    "id": "openEuler-SA-2022-2139",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2139",
+    "title": "An update for kubernetes is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Container cluster management.\r\n\r\nSecurity Fix(es):\r\n\r\nA security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.(CVE-2021-25740)",
+    "cves": [
+      {
+        "id": "CVE-2021-25740",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25740",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1516": {
+    "id": "openEuler-SA-2024-1516",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1516",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330)\r\n\r\nA double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446)\r\n\r\nA heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of  `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2024-3447)",
+    "cves": [
+      {
+        "id": "CVE-2024-3447",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3447",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1231": {
+    "id": "openEuler-SA-2023-1231",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1231",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.(CVE-2023-0922)",
+    "cves": [
+      {
+        "id": "CVE-2023-0922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0922",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1275": {
+    "id": "openEuler-SA-2024-1275",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1275",
+    "title": "An update for migration-tools is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "A tool to help users migrate the Centos system to the UOS system and openEuler system.\r\n\r\nSecurity Fix(es):\r\n\r\nBy sending HTTP requests to access a specific interface, attackers can execute arbitrary commands with root privileges on remote machines.(CVE-2024-24892)",
+    "cves": [
+      {
+        "id": "CVE-2024-24892",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24892",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1864": {
+    "id": "openEuler-SA-2024-1864",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1864",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\r\n\r\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\r\n\r\nFix it in the one caller that had this combination.\r\n\r\nThe undefined behavior was detected by UBSAN:\n  UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n  shift exponent 64 is too large for 64-bit type 'long unsigned int'\n  CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n  Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x5d/0x80\n   ubsan_epilogue+0x5/0x30\n   __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n   __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n   bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n   bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n   bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __kmalloc+0x1b6/0x4f0\n   ? create_qp.part.0+0x128/0x1c0 [ib_core]\n   ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n   create_qp.part.0+0x128/0x1c0 [ib_core]\n   ib_create_qp_kernel+0x50/0xd0 [ib_core]\n   create_mad_qp+0x8e/0xe0 [ib_core]\n   ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n   ib_mad_init_device+0x2be/0x680 [ib_core]\n   add_client_context+0x10d/0x1a0 [ib_core]\n   enable_device_and_get+0xe0/0x1d0 [ib_core]\n   ib_register_device+0x53c/0x630 [ib_core]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n   ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n   auxiliary_bus_probe+0x49/0x80\n   ? driver_sysfs_add+0x57/0xc0\n   really_probe+0xde/0x340\n   ? pm_runtime_barrier+0x54/0x90\n   ? __pfx___driver_attach+0x10/0x10\n   __driver_probe_device+0x78/0x110\n   driver_probe_device+0x1f/0xa0\n   __driver_attach+0xba/0x1c0\n   bus_for_each_dev+0x8f/0xe0\n   bus_add_driver+0x146/0x220\n   driver_register+0x72/0xd0\n   __auxiliary_driver_register+0x6e/0xd0\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   do_one_initcall+0x5b/0x310\n   do_init_module+0x90/0x250\n   init_module_from_file+0x86/0xc0\n   idempotent_init_module+0x121/0x2b0\n   __x64_sys_finit_module+0x5e/0xb0\n   do_syscall_64+0x82/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode_prepare+0x149/0x170\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode+0x75/0x230\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_syscall_64+0x8e/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __count_memcg_events+0x69/0x100\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? count_memcg_events.constprop.0+0x1a/0x30\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? handle_mm_fault+0x1f0/0x300\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_user_addr_fault+0x34e/0x640\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f4e5132821d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n  RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n  RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n  RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n  RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n  R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n  R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n   </TASK>\n  ---[ end trace ]---(CVE-2024-38540)",
+    "cves": [
+      {
+        "id": "CVE-2024-38540",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1383": {
+    "id": "openEuler-SA-2023-1383",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1383",
+    "title": "An update for runc is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.(CVE-2023-28642)",
+    "cves": [
+      {
+        "id": "CVE-2023-28642",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1483": {
+    "id": "openEuler-SA-2023-1483",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1483",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38288)",
+    "cves": [
+      {
+        "id": "CVE-2023-38288",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38288",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1544": {
+    "id": "openEuler-SA-2022-1544",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1544",
+    "title": "An update for nodejs-grunt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Grunt is the JavaScript task runner. Why use a task runner? In one word: automation. The less work you have to do when performing repetitive tasks like minification, compilation, unit testing, linting, etc, the easier your job becomes. After you've configured it, a task runner can do most of that mundane work for you with basically zero effort.\r\n\r\nSecurity Fix(es):\r\n\r\nThe package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.(CVE-2020-7729)",
+    "cves": [
+      {
+        "id": "CVE-2020-7729",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7729",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1518": {
+    "id": "openEuler-SA-2023-1518",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1518",
+    "title": "An update for python3 is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\n\nSecurity Fix(es):\n\nDirectory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.(CVE-2007-4559)",
+    "cves": [
+      {
+        "id": "CVE-2007-4559",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4559",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1004": {
+    "id": "openEuler-SA-2021-1004",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1004",
+    "title": "An update for curl is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nDue to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.(CVE-2020-8231)\\r\\n\\r\\n\r\ncurl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.(CVE-2020-8286)\\r\\n\\r\\n\r\ncurl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.(CVE-2020-8285)\\r\\n\\r\\n\nA malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.(CVE-2020-8284)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-8284",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1534": {
+    "id": "openEuler-SA-2024-1534",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1534",
+    "title": "An update for uriparser is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The package is a strictly RFC 3986 compliant URI parsing library written in C89(\"ANSI C\"). uriparser is cross-platform, fast, supports Unicode and is licensed under the New BSD license. There are a number of applications, libraries and hardware using uriparser, as well as bindings and 3rd-party wrappers. uriparser is packaged in major distributions.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.(CVE-2024-34402)\r\n\r\nAn issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string.(CVE-2024-34403)",
+    "cves": [
+      {
+        "id": "CVE-2024-34403",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34403",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1892": {
+    "id": "openEuler-SA-2022-1892",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1892",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nzlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434)",
+    "cves": [
+      {
+        "id": "CVE-2022-37434",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1585": {
+    "id": "openEuler-SA-2024-1585",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1585",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.(CVE-2024-31047)",
+    "cves": [
+      {
+        "id": "CVE-2024-31047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31047",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2134": {
+    "id": "openEuler-SA-2022-2134",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2134",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.(CVE-2022-45934)\n\nThere are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker tocrash linux kernel by simulating slip network card from user-space of linux.[Root cause]When a slip driver is detaching, the slip_close() will act tocleanup necessary resources and sl->tty is set to NULL inslip_close(). Meanwhile, the packet we transmit is blocked,sl_tx_timeout() will be called. Although slip_close() andsl_tx_timeout() use sl->lock to synchronize, we don`t judgewhether sl-> tty equals to NULL in sl_tx_timeout() and thenull pointer dereference bug will happen.(Thread 1) | (Thread 2)| slip_close()| spin_lock_bh(& sl-> lock) sl-> tty = NULL //(1)sl_tx_timeout() | spin_unlock_bh(& sl->lock)spin_lock(& sl-> lock);tty_chars_in_buffer(sl-> tty)|if (tty-> ops-> ..) //(2)synchronize_rcu()We set NULL to sl-> tty in position (1) and dereference sl-> ttyin position (2).(CVE-2022-41858)\n\nA use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.(CVE-2022-4095)",
+    "cves": [
+      {
+        "id": "CVE-2022-4095",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4095",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1213": {
+    "id": "openEuler-SA-2023-1213",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1213",
+    "title": "An update for zstd is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Zstd is a fast lossless compression algorithm. It's backed by a very fast entropy stage,provided by Huff0 and FSE library. It's a real-time compression scenario for zlib levels and has a better compression ratio.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.(CVE-2022-4899)",
+    "cves": [
+      {
+        "id": "CVE-2022-4899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1406": {
+    "id": "openEuler-SA-2023-1406",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1406",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.(CVE-2023-3195)",
+    "cves": [
+      {
+        "id": "CVE-2023-3195",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3195",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1069": {
+    "id": "openEuler-SA-2021-1069",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1069",
+    "title": "An update for python-paramiko is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Paramiko is a combination of the Esperanto words for \"paranoid\" and \"friend\". It is a module for Python 2.7/3.4+ that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines.\r\n\r\nSecurity Fix(es):\r\n\r\nParamiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.(CVE-2018-1000805)",
+    "cves": [
+      {
+        "id": "CVE-2018-1000805",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000805",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1562": {
+    "id": "openEuler-SA-2024-1562",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1562",
+    "title": "An update for firefox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nIn certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.(CVE-2020-26950)",
+    "cves": [
+      {
+        "id": "CVE-2020-26950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26950",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1716": {
+    "id": "openEuler-SA-2024-1716",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1716",
+    "title": "An update for libvpx is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications with the VP8 and VP9 video codecs, high quality, royalty free, open source codecs deployed on millions of computers and devices worldwide.\r\n\r\nSecurity Fix(es):\r\n\r\nThere exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond(CVE-2024-5197)",
+    "cves": [
+      {
+        "id": "CVE-2024-5197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1723": {
+    "id": "openEuler-SA-2023-1723",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1723",
+    "title": "An update for glibc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nA buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.(CVE-2023-4911)",
+    "cves": [
+      {
+        "id": "CVE-2023-4911",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1878": {
+    "id": "openEuler-SA-2023-1878",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1878",
+    "title": "An update for qt is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nIn Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.(CVE-2023-38197)\r\n\r\nAn issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.(CVE-2023-43114)",
+    "cves": [
+      {
+        "id": "CVE-2023-43114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1147": {
+    "id": "openEuler-SA-2023-1147",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1147",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\ncontainerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.(CVE-2023-25153)\r\n\r\ncontainerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `\"USER $USERNAME\"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT [\"su\", \"-\", \"user\"]` to allow `su` to properly set up supplementary groups.(CVE-2023-25173)",
+    "cves": [
+      {
+        "id": "CVE-2023-25173",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25173",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1713": {
+    "id": "openEuler-SA-2022-1713",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1713",
+    "title": "An update for dpdk is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "DPDK core includes kernel modules, core libraries and tools. testpmd application allows to test fast packet processing environments on arm64 platforms. For instance, it can be used to check that environment can support fast path applications such as 6WINDGate, pktgen, rumptcpip, etc. More libraries are available as extensions in other packages.\r\n\r\nSecurity Fix(es):\r\n\r\nIt’s an issue in the handling of vhost-user inflight type messages. A malicious vhost-user master can attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the vhost-user slave. By sending such messages continuously, the vhost-user master could exhaust available fd in the vhost-user slave process and lead to a DoS.(CVE-2022-0669)\r\n\r\nIn DPDK Vhost communication, we didn’t test if msg->payload.inflight.num_queues is out of bounds in function ‘vhost_user_set_inflight_fd()’, and could cause the program to write OOB.(CVE-2021-3839)",
+    "cves": [
+      {
+        "id": "CVE-2021-3839",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3839",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2125": {
+    "id": "openEuler-SA-2022-2125",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2125",
+    "title": "An update for ceph is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Openstack manilla owning a Ceph File system \"share\", which enables the owner to read/write any manilla share or entire file system. The vulnerability is due to a bug in the \"volumes\" plugin in Ceph Manager. This allows an attacker to compromise Confidentiality and Integrity of a file system. Fixed in RHCS 5.2 and Ceph 17.2.2.(CVE-2022-0670)",
+    "cves": [
+      {
+        "id": "CVE-2022-0670",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0670",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1090": {
+    "id": "openEuler-SA-2024-1090",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1090",
+    "title": "An update for gnutls is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553)\r\n\r\nA vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.(CVE-2024-0567)",
+    "cves": [
+      {
+        "id": "CVE-2024-0567",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1831": {
+    "id": "openEuler-SA-2024-1831",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1831",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)\r\n\r\nA null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.(CVE-2022-3341)",
+    "cves": [
+      {
+        "id": "CVE-2022-3341",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3341",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1842": {
+    "id": "openEuler-SA-2024-1842",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1842",
+    "title": "An update for cockpit is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse. It’s easy to start containers, administer storage, configure networks, and inspect logs with this package.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.(CVE-2024-6126)",
+    "cves": [
+      {
+        "id": "CVE-2024-6126",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6126",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1346": {
+    "id": "openEuler-SA-2023-1346",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1346",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nAn information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.(CVE-2023-28322)\r\n\r\nAn improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as \"Subject Alternative Name\" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.(CVE-2023-28321)",
+    "cves": [
+      {
+        "id": "CVE-2023-28321",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28321",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1424": {
+    "id": "openEuler-SA-2023-1424",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1424",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).\n\n(CVE-2023-3389)",
+    "cves": [
+      {
+        "id": "CVE-2023-3389",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1194": {
+    "id": "openEuler-SA-2023-1194",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1194",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nlibcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL` level.(CVE-2023-27535)\r\n\r\nlibcurl would reuse a previously created connection even when the GSS delegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.(CVE-2023-27536)\r\n\r\ncurl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and \"telnet options\" for the server\nnegotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.(CVE-2023-27533)\r\n\r\ncurl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed\nto-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite suprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse.(CVE-2023-27534)\n\nlibcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2023-27538)",
+    "cves": [
+      {
+        "id": "CVE-2023-27538",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27538",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1091": {
+    "id": "openEuler-SA-2023-1091",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1091",
+    "title": "An update for c-ares is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This is c-ares, an asynchronous resolver library. It is intended for applications which need to perform DNS queries without blocking, or need to perform multiple\r\n\r\nSecurity Fix(es):\r\n\r\nIn ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked memcpy(ipbuf, str, q-str); and memcpy(ipbufpfx, str, q-str); statements in the config_sortlist call, which could potentially cause severe security impact in practical programs.(CVE-2022-4904)",
+    "cves": [
+      {
+        "id": "CVE-2022-4904",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4904",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1986": {
+    "id": "openEuler-SA-2022-1986",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1986",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nNull pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2019-14584)\r\n\r\nInsufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.(CVE-2019-11098)",
+    "cves": [
+      {
+        "id": "CVE-2019-11098",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11098",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1918": {
+    "id": "openEuler-SA-2023-1918",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1918",
+    "title": "An update for haproxy is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones.\r\n\r\nSecurity Fix(es):\r\n\r\nAn information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.(CVE-2023-0836)\r\n\r\nHAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.(CVE-2023-45539)",
+    "cves": [
+      {
+        "id": "CVE-2023-45539",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1693": {
+    "id": "openEuler-SA-2022-1693",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1693",
+    "title": "An update for python-XStatic-jquery-ui is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "jquery-ui javascript library packaged for setuptools (easy_install) / pip. This package is intended to be used by **any** project that needs these files. It intentionally does **not** provide any extra code except some metadata **nor** has any extra requirements. You MAY use some minimal support code from the XStatic base package, if you like. You can find more info about the xstatic packaging way in the package `XStatic`.\r\n\r\nSecurity Fix(es):\r\n\r\njQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.(CVE-2021-41183)",
+    "cves": [
+      {
+        "id": "CVE-2021-41183",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41183",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2162": {
+    "id": "openEuler-SA-2022-2162",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2162",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.(CVE-2022-4095)\r\n\r\nThere are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker to\ncrash linux kernel by simulating slip network card from user-space of linux.\r\n\r\n------------------------------------------\r\n\r\n[Root cause]\r\n\r\nWhen a slip driver is detaching, the slip_close() will act to\ncleanup necessary resources and sl->tty is set to NULL in\nslip_close(). Meanwhile, the packet we transmit is blocked,\nsl_tx_timeout() will be called. Although slip_close() and\nsl_tx_timeout() use sl->lock to synchronize, we don`t judge\nwhether sl->tty equals to NULL in sl_tx_timeout() and the\nnull pointer dereference bug will happen.\r\n\r\n(Thread 1) | (Thread 2)\n| slip_close()\n| spin_lock_bh(&sl->lock)\n| ...\n... | sl->tty = NULL //(1)\nsl_tx_timeout() | spin_unlock_bh(&sl->lock)\nspin_lock(&sl->lock); |\n... | ...\ntty_chars_in_buffer(sl->tty)|\nif (tty->ops->..) //(2) |\n... | synchronize_rcu()\r\n\r\nWe set NULL to sl->tty in position (1) and dereference sl->tty\nin position (2).\r\n\r\n------------------------------------------(CVE-2022-41858)\r\n\r\nA flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.(CVE-2022-4129)\r\n\r\nIn (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel(CVE-2022-20568)\r\n\r\nIn l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel(CVE-2022-20566)\r\n\r\nGuests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.(CVE-2022-3643)\r\n\r\nIn verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel(CVE-2022-20572)\r\n\r\nA stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-4378)\n\nIn drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.(CVE-2022-41218)\n\nGuests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42328)\n\nGuests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42329)\n\nAn issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.(CVE-2022-47518)\n\nAn issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.(CVE-2022-47519)\n\nAn issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.(CVE-2022-47520)\n\nAn issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.(CVE-2022-47521)\n\nAn issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().(CVE-2022-3108)",
+    "cves": [
+      {
+        "id": "CVE-2022-3108",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3108",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1378": {
+    "id": "openEuler-SA-2024-1378",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1378",
+    "title": "An update for mod_security is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279)",
+    "cves": [
+      {
+        "id": "CVE-2022-48279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1132": {
+    "id": "openEuler-SA-2024-1132",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1132",
+    "title": "An update for yasm is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Low",
+    "description": "Yasm is a complete rewrite of the NASM assembler under the “new” BSD License.\r\n\r\nSecurity Fix(es):\r\n\r\nyasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975)",
+    "cves": [
+      {
+        "id": "CVE-2023-31975",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31975",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1819": {
+    "id": "openEuler-SA-2024-1819",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1819",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.(CVE-2022-2320)",
+    "cves": [
+      {
+        "id": "CVE-2022-2320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1650": {
+    "id": "openEuler-SA-2024-1650",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1650",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\r\n\r\nThere is a dead-lock in the hwrng device read path.  This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng.  The resulting page fault triggers a recursive read\nwhich then dead-locks.\r\n\r\nFix this by using a stack buffer when calling copy_to_user.(CVE-2023-52615)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\r\n\r\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\r\n\r\n  WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n  CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n  ......\n  Call Trace:\n   <TASK>\n   ? __warn+0xa5/0x240\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? report_bug+0x1ba/0x1f0\n   ? handle_bug+0x40/0x80\n   ? exc_invalid_op+0x18/0x50\n   ? asm_exc_invalid_op+0x1b/0x20\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ? rcu_lockdep_current_cpu_online+0x65/0xb0\n   ? rcu_is_watching+0x23/0x50\n   ? bpf_map_lookup_elem+0x54/0x60\n   ? __pfx_bpf_map_lookup_elem+0x10/0x10\n   ___bpf_prog_run+0x513/0x3b70\n   __bpf_prog_run32+0x9d/0xd0\n   ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n   ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n   bpf_trampoline_6442580665+0x4d/0x1000\n   __x64_sys_getpgid+0x5/0x30\n   ? do_syscall_64+0x36/0xb0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   </TASK>(CVE-2023-52621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix a suspicious RCU usage warning\r\n\r\nI received the following warning while running cthon against an ontap\nserver running pNFS:\r\n\r\n[   57.202521] =============================\n[   57.202522] WARNING: suspicious RCU usage\n[   57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[   57.202525] -----------------------------\n[   57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[   57.202527]\n               other info that might help us debug this:\r\n\r\n[   57.202528]\n               rcu_scheduler_active = 2, debug_locks = 1\n[   57.202529] no locks held by test5/3567.\n[   57.202530]\n               stack backtrace:\n[   57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[   57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[   57.202536] Call Trace:\n[   57.202537]  <TASK>\n[   57.202540]  dump_stack_lvl+0x77/0xb0\n[   57.202551]  lockdep_rcu_suspicious+0x154/0x1a0\n[   57.202556]  rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202596]  rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202621]  ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202646]  rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202671]  ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[   57.202696]  nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202728]  ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202754]  nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202760]  filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[   57.202765]  pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202788]  __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202813]  nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202831]  nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202849]  nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202866]  write_cache_pages+0x265/0x450\n[   57.202870]  ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202891]  nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202913]  do_writepages+0xd2/0x230\n[   57.202917]  ? filemap_fdatawrite_wbc+0x5c/0x80\n[   57.202921]  filemap_fdatawrite_wbc+0x67/0x80\n[   57.202924]  filemap_write_and_wait_range+0xd9/0x170\n[   57.202930]  nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[   57.202947]  nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[   57.202969]  __se_sys_close+0x46/0xd0\n[   57.202972]  do_syscall_64+0x68/0x100\n[   57.202975]  ? do_syscall_64+0x77/0x100\n[   57.202976]  ? do_syscall_64+0x77/0x100\n[   57.202979]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[   57.202982] RIP: 0033:0x7fe2b12e4a94\n[   57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[   57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[   57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[   57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[   57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[   57.202993] R10: 00007f\n---truncated---(CVE-2023-52623)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\r\n\r\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\r\n\r\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\r\n\r\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.(CVE-2023-52629)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2023-52630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\r\n\r\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\r\n\r\nwhile true\ndo\n        echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n        echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\r\n\r\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\r\n\r\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\r\n\r\n[1]\n...\n..\n<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428\n<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c\n<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428\nkworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227\nvendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532\nvendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428\nxxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428\r\n\r\n[2]\r\n\r\n 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][    C4] Mem abort info:\n[ 9436.261666][    C4]   ESR = 0x96000044\n[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][    C4]   SET = 0, FnV = 0\n[ 9436.261673][    C4]   EA = 0, S1PTW = 0\n[ 9436.261675][    C4] Data abort info:\n[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044\n[ 9436.261680][    C4]   CM = 0, WnR = 1\n[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\r\n\r\n[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)\n[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][    C4] sp : ffffffc010023dd0\n[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---(CVE-2023-52635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: aqc111: check packet for fixup for true limit\r\n\r\nIf a device sends a packet that is inbetween 0\nand sizeof(u64) the value passed to skb_trim()\nas length will wrap around ending up as some very\nlarge value.\r\n\r\nThe driver will then proceed to parse the header\nlocated at that position, which will either oops or\nprocess some random value.\r\n\r\nThe fix is to check against sizeof(u64) rather than\n0, which the driver currently does. The issue exists\nsince the introduction of the driver.(CVE-2023-52655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Guard stack limits against 32bit overflow\r\n\r\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\r\n\r\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904(CVE-2023-52676)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type.  Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there's no cast to\nany 64-bit type before multiplication.  Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check to scom_debug_init_one()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.\nAdd a null pointer check, and release 'ent' to avoid memory leaks.(CVE-2023-52690)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: tpd12s015: Drop buggy __exit annotation for remove function\r\n\r\nWith tpd12s015_remove() marked with __exit this function is discarded\nwhen the driver is compiled as a built-in. The result is that when the\ndriver unbinds there is no cleanup done which results in resource\nleakage or worse.(CVE-2023-52694)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: fix a memory corruption\r\n\r\niwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that\nif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in\nbytes, we'll write past the buffer.(CVE-2024-26610)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\r\n\r\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.(CVE-2024-26661)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp_async: limit MRU to 64K\r\n\r\nsyzbot triggered a warning [1] in __alloc_pages():\r\n\r\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\r\n\r\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\r\n\r\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\r\n\r\n[1]:\r\n\r\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n  __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n  __alloc_pages_node include/linux/gfp.h:238 [inline]\n  alloc_pages_node include/linux/gfp.h:261 [inline]\n  __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n  __do_kmalloc_node mm/slub.c:3969 [inline]\n  __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n  kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n  __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n  __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n  netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n  dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n  ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n  ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n  tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n  tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n  receive_buf drivers/tty/tty_buffer.c:444 [inline]\n  flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860(CVE-2024-26675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\r\n\r\nlock_task_sighand() can trigger a hard lockup.  If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\r\n\r\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.(CVE-2024-26686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\r\n\r\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.(CVE-2024-26702)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/kasan: Fix addr error caused by page alignment\r\n\r\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\r\n\r\nAs a result, memory overwriting occurs.\r\n\r\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\r\n\r\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.(CVE-2024-26712)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\r\n\r\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\r\n\r\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-26825)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\r\n\r\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmd: fix kmemleak of rdev->serial\r\n\r\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\r\n\r\nunreferenced object 0xffff88815a350000 (size 49152):\n  comm \"mdadm\", pid 789, jiffies 4294716910\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc f773277a):\n    [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n    [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n    [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n    [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n    [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n    [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n    [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n    [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n    [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n    [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n    [<0000000085086a11>] vfs_ioctl+0x22/0x60\n    [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n    [<00000000e54e675e>] do_syscall_64+0x71/0x150\n    [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74(CVE-2024-26900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\r\n\r\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix garbage collector racing against connect()\r\n\r\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\r\n\r\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\r\n\r\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\r\n\r\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\r\n\r\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\r\n\r\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\r\n\r\n\t\t\tclose(V)\r\n\r\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\r\n\r\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\r\n\r\n\t\t\t\t\t\t// gc_candidates={L, V}\r\n\r\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\r\n\r\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\r\n\r\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\r\n\r\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.(CVE-2024-26923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: check offset alignment in binder_get_object()\r\n\r\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\r\n\r\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\r\n\r\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.(CVE-2024-26926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/i915/gt: Reset queue_priority_hint on parking\r\n\r\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\r\n\r\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\r\n\r\n<3>[  166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[  166.210781] Dumping ftrace buffer:\n<0>[  166.210795] ---------------------------------\n...\n<0>[  167.302811] drm_fdin-1097      2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[  167.302861] drm_fdin-1097      2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[  167.302928] drm_fdin-1097      2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[  167.302992] drm_fdin-1097      2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[  167.303044] drm_fdin-1097      2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[  167.303095] drm_fdin-1097      2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[  167.303159] kworker/-89       11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[  167.303208] kworker/-89       11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[  167.303272] kworker/-89       11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[  167.303321] kworker/-89       11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[  167.303384] kworker/-89       11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[  167.303434] kworker/-89       11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[  167.303484] kworker/-89       11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[  167.303534]   <idle>-0         5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[  167.303583] kworker/-89       11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[  167.303756] kworker/-89       11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[  167.303806] kworker/-89       11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[  167.303811] ---------------------------------\n<4>[  167.304722] ------------[ cut here ]------------\n<2>[  167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[  167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[  167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G        W          6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[  167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[  167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[  16\n---truncated---(CVE-2024-26937)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\r\n\r\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\r\n\r\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\r\n\r\nThe KASAN report triggered by POC is shown below:\r\n\r\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  <TASK>\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  </TASK>\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---(CVE-2024-27398)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\r\n\r\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\r\n\r\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.(CVE-2024-27431)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\r\n\r\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\r\n\r\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated.  I.e. the\nregion structure itself would be fine, but region->pages could be freed.\r\n\r\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.(CVE-2024-35791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\r\n\r\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.(CVE-2024-35845)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\r\n\r\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.(CVE-2024-35943)",
+    "cves": [
+      {
+        "id": "CVE-2024-26825",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-35943",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1025": {
+    "id": "openEuler-SA-2023-1025",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1025",
+    "title": "An update for openvswitch is now available for openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.(CVE-2022-4338)",
+    "cves": [
+      {
+        "id": "CVE-2022-4338",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4338",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1234": {
+    "id": "openEuler-SA-2023-1234",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1234",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.(CVE-2023-1668)",
+    "cves": [
+      {
+        "id": "CVE-2023-1668",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1668",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1866": {
+    "id": "openEuler-SA-2022-1866",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1866",
+    "title": "An update for redis6 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32672)",
+    "cves": [
+      {
+        "id": "CVE-2021-32672",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32672",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1102": {
+    "id": "openEuler-SA-2024-1102",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1102",
+    "title": "An update for xorg-x11-server is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "X.Org X11 X server\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.(CVE-2023-6816)\r\n\r\nAn out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.(CVE-2024-0229)\r\n\r\nA flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.(CVE-2024-0408)\r\n\r\nA flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.(CVE-2024-0409)\r\n\r\nA flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.(CVE-2024-21885)\r\n\r\nA heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.(CVE-2024-21886)",
+    "cves": [
+      {
+        "id": "CVE-2024-21886",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21886",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1777": {
+    "id": "openEuler-SA-2024-1777",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1777",
+    "title": "An update for rubygem-actionpack is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1409": {
+    "id": "openEuler-SA-2023-1409",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1409",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34474)\n\nA heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34475)",
+    "cves": [
+      {
+        "id": "CVE-2023-34475",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34475",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1800": {
+    "id": "openEuler-SA-2023-1800",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1800",
+    "title": "An update for shim is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as critical has been found in rhboot shim up to 15.7 on ARM. This affects the function mirror_one_esl of the file mok.c of the component mok. Applying the patch 66e6579dbf921152f647a0c16da1d3b2f40861ca is able to eliminate this problem. The bugfix is ready for download at github.com.(CVE-2023-40546)",
+    "cves": [
+      {
+        "id": "CVE-2023-40546",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40546",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1486": {
+    "id": "openEuler-SA-2023-1486",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1486",
+    "title": "An update for sqlite is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "SQLite is a C-language library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.It also include lemon and sqlite3_analyzer and tcl tools.\r\n\r\nSecurity Fix(es):\r\n\r\nsqlite3 v3.40.1 was discovered to contain a segmentation violation at /sqlite3_aflpp/shell.c.(CVE-2023-36191)",
+    "cves": [
+      {
+        "id": "CVE-2023-36191",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36191",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1739": {
+    "id": "openEuler-SA-2023-1739",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1739",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22036)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1148": {
+    "id": "openEuler-SA-2021-1148",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1148",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27775)\r\n\r\nA flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27772)\r\n\r\nIn RestoreMSCWarning() of /coders/pdf.c there are several areas where calls to GetPixelIndex() could result in values outside the range of representable for the unsigned char type. The patch casts the return value of GetPixelIndex() to ssize_t type to avoid this bug. This undefined behavior could be triggered when ImageMagick processes a crafted pdf file. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was demonstrated in this case. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27771)\r\n\r\nA flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27774)\r\n\r\nA floating point math calculation in ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to undefined behavior in the form of a value outside the range of type unsigned long long. The flaw could be triggered by a crafted input file under certain conditions when it is processed by ImageMagick. Red Hat Product Security marked this as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27757)\r\n\r\nA flaw was found in ImageMagick in coders/txt.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27758)\r\n\r\nA flaw was found in ImageMagick in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long` as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27751)\r\n\r\nIn CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c, there were multiple unconstrained pixel offset calculations which were being used with the floor() function. These calculations produced undefined behavior in the form of out-of-range and integer overflows, as identified by UndefinedBehaviorSanitizer. These instances of undefined behavior could be triggered by an attacker who is able to supply a crafted input file to be processed by ImageMagick. These issues could impact application availability or potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25676)\r\n\r\nIn the CropImage() and CropImageToTiles() routines of MagickCore/transform.c, rounding calculations performed on unconstrained pixel offsets was causing undefined behavior in the form of integer overflow and out-of-range values as reported by UndefinedBehaviorSanitizer. Such issues could cause a negative impact to application availability or other problems related to undefined behavior, in cases where ImageMagick processes untrusted input data. The upstream patch introduces functionality to constrain the pixel offsets and prevent these issues. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25675)\r\n\r\nThere are 4 places in HistogramCompare() in MagickCore/histogram.c where an integer overflow is possible during simple math calculations. This occurs in the rgb values and `count` value for a color. The patch uses casts to `ssize_t` type for these calculations, instead of `int`. This flaw could impact application reliability in the event that ImageMagick processes a crafted input file. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25666)\r\n\r\nin SetImageExtent() of /MagickCore/image.c, an incorrect image depth size can cause a memory leak because the code which checks for the proper image depth size does not reset the size in the event there is an invalid size. The patch resets the depth to a proper size before throwing an exception. The memory leak can be triggered by a crafted input file that is processed by ImageMagick and could cause an impact to application reliability, such as denial of service. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27755)\r\n\r\nImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.(CVE-2019-18853)",
+    "cves": [
+      {
+        "id": "CVE-2019-18853",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18853",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1419": {
+    "id": "openEuler-SA-2021-1419",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1419",
+    "title": "An update for rubygem-bundler is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably.\r\n\r\nSecurity Fix(es):\r\n\r\nBundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.(CVE-2019-3881)",
+    "cves": [
+      {
+        "id": "CVE-2019-3881",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3881",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1628": {
+    "id": "openEuler-SA-2024-1628",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1628",
+    "title": "An update for nautilus is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "It's easier to manage your files for the GNOME desktop. Ability to browse directories on local and remote systems. preview folders and launch related programs. It is also handle icons on the GNOME desktop.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.(CVE-2022-37290)",
+    "cves": [
+      {
+        "id": "CVE-2022-37290",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37290",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1187": {
+    "id": "openEuler-SA-2024-1187",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1187",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)",
+    "cves": [
+      {
+        "id": "CVE-2023-0464",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1343": {
+    "id": "openEuler-SA-2021-1343",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1343",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating \"secret_hash\" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.(CVE-2021-3634)",
+    "cves": [
+      {
+        "id": "CVE-2021-3634",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3634",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1192": {
+    "id": "openEuler-SA-2021-1192",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1192",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access.(CVE-2019-14562)",
+    "cves": [
+      {
+        "id": "CVE-2019-14562",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14562",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1224": {
+    "id": "openEuler-SA-2021-1224",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1224",
+    "title": "An update for libdnf is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A Library providing simplified C and Python API to libsolv.\n\nSecurity Fix(es):\n\nA flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3445)",
+    "cves": [
+      {
+        "id": "CVE-2021-3445",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3445",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1087": {
+    "id": "openEuler-SA-2021-1087",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1087",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.(CVE-2020-28374)\r\n\r\nAn issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.(CVE-2020-29568)\r\n\r\nIn the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-119770583(CVE-2020-27068)\r\n\r\nA flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786)\r\n\r\nAn issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.(CVE-2021-3347)\r\n\r\nnbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.(CVE-2021-3348)\n\nIn binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0423)\n\nmwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\nInsufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-8694)\n\nIBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. (CVE-2020-4788)\n\nAn issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089)\n\nIn various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0465)\n\nIn do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2020-0466)\n\nA flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system.(CVE-2021-20177)\n\nfs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.(CVE-2021-3178)",
+    "cves": [
+      {
+        "id": "CVE-2021-3178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3178",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1916": {
+    "id": "openEuler-SA-2022-1916",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1916",
+    "title": "An update for libjpeg-turbo is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, and ARM systems.\r\n\r\nSecurity Fix(es):\r\n\r\nA crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.(CVE-2020-35538)",
+    "cves": [
+      {
+        "id": "CVE-2020-35538",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35538",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1724": {
+    "id": "openEuler-SA-2024-1724",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1724",
+    "title": "An update for three-eight-nine-ds-base is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input.(CVE-2024-2199)\r\n\r\nA flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service(CVE-2024-3657)",
+    "cves": [
+      {
+        "id": "CVE-2024-3657",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3657",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1970": {
+    "id": "openEuler-SA-2023-1970",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1970",
+    "title": "An update for python-twisted is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:\r\n\r\nSecurity Fix(es):\r\n\r\ntwisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.(CVE-2022-21712)\r\n\r\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.(CVE-2022-21716)\r\n\r\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.(CVE-2022-24801)\r\n\r\nTwisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.(CVE-2022-39348)",
+    "cves": [
+      {
+        "id": "CVE-2022-39348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39348",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1613": {
+    "id": "openEuler-SA-2024-1613",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1613",
+    "title": "An update for tpm2-tss is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system APIs which provides TPM2.0 specified APIs for applications to access TPM module through kernel TPM drivers.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the tpm2-tss package, where it was not checked to see if the magic number in the attest is equal to the TPM2_GENERATED_VALUE. This flaw allows an attacker to generate arbitrary quote data, which may not be detected by Fapi_VerifyQuote.(CVE-2024-29040)",
+    "cves": [
+      {
+        "id": "CVE-2024-29040",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29040",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1540": {
+    "id": "openEuler-SA-2022-1540",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1540",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Python image processing library.\r\n\r\nSecurity Fix(es):\r\n\r\nPillow is a PIL (Python Imaging Library) fork. Affected versions of this package are vulnerable to Improper Input Validation. When the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file.(CVE-2022-24303)",
+    "cves": [
+      {
+        "id": "CVE-2022-24303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24303",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1721": {
+    "id": "openEuler-SA-2023-1721",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1721",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.(CVE-2023-5344)",
+    "cves": [
+      {
+        "id": "CVE-2023-5344",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5344",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1420": {
+    "id": "openEuler-SA-2023-1420",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1420",
+    "title": "An update for perl-CPAN is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The CPAN module automates or at least simplifies the make and install of perl modules and extensions. It includes some primitive searching capabilities and knows how to use LWP, HTTP::Tiny, Net::FTP and certain external download clients to fetch distributions from the net. The CPAN module also supports named and versioned *bundles* of modules. Bundles simplify handling of sets of related modules.\n\nSecurity Fix(es):\n\nCPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.(CVE-2023-31484)",
+    "cves": [
+      {
+        "id": "CVE-2023-31484",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1829": {
+    "id": "openEuler-SA-2023-1829",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1829",
+    "title": "An update for openjdk-latest is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and  22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22025)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22081)",
+    "cves": [
+      {
+        "id": "CVE-2023-22081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1746": {
+    "id": "openEuler-SA-2023-1746",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1746",
+    "title": "An update for xerces-j2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2018-2799)",
+    "cves": [
+      {
+        "id": "CVE-2018-2799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1541": {
+    "id": "openEuler-SA-2022-1541",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1541",
+    "title": "An update for A-Tune is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "atune is a service for atuned AI tuning system.\r\n\r\nSecurity Fix(es):\r\n\r\nLog in as a local user and run the curl command to access the local atune url interface to escalate the local privilege or modify any file. Authentication is not forcibly enabled in the default configuration.(CVE-2021-33658)",
+    "cves": [
+      {
+        "id": "CVE-2021-33658",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33658",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1448": {
+    "id": "openEuler-SA-2024-1448",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1448",
+    "title": "An update for LibRaw is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.(CVE-2021-32142)",
+    "cves": [
+      {
+        "id": "CVE-2021-32142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1642": {
+    "id": "openEuler-SA-2023-1642",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1642",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1958": {
+    "id": "openEuler-SA-2022-1958",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1958",
+    "title": "An update for redis5 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Redis also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Redis behave like a cache. You can use Redis from most programming languages also.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.(CVE-2021-32626)\r\n\r\nRedis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32627)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32628)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32687)\r\n\r\nRedis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.(CVE-2021-32675)\r\n\r\nRedis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32762)\r\n\r\nRedis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-41099)",
+    "cves": [
+      {
+        "id": "CVE-2021-41099",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41099",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1254": {
+    "id": "openEuler-SA-2023-1254",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1254",
+    "title": "An update for hyperscan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Hyperscan is a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper buffer restrictions in the Hyperscan library maintained by Intel(R) all versions downloaded before 04/29/2022 may allow an unauthenticated user to potentially enable escalation of privilege via network access.(CVE-2022-29486)",
+    "cves": [
+      {
+        "id": "CVE-2022-29486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29486",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1700": {
+    "id": "openEuler-SA-2023-1700",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1700",
+    "title": "An update for snappy-java is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A Java port of the snappy, a fast compresser/decompresser written in C++.\r\n\r\nSecurity Fix(es):\r\n\r\nsnappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.(CVE-2023-43642)",
+    "cves": [
+      {
+        "id": "CVE-2023-43642",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1419": {
+    "id": "openEuler-SA-2023-1419",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1419",
+    "title": "An update for pki-core is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Dogtag PKI is a designed  enterprise software system manage enterprise Public Key Infrastructure deployments.\n\nSecurity Fix(es):\n\nAccess to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.(CVE-2022-2414)",
+    "cves": [
+      {
+        "id": "CVE-2022-2414",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2414",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1536": {
+    "id": "openEuler-SA-2022-1536",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1536",
+    "title": "An update for util-linux is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The util-linux package contains a random collection of files that implements some low-level basic linux utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nA logical error was found in util-linux's libmount library in a function that allows unprivileged users to unmount FUSE filesystems. Incorrect uid checking allows unprivileged users to unmount FUSE filesystems with similar uid users, an attacker could exploit this vulnerability to cause a denial of service to applications using the affected filesystem.(CVE-2021-3995)\r\n\r\nthat allows unprivileged users to unmount FUSE filesystems. Issues related to parsing the /proc/self/mountinfo file allow unprivileged users to unmount other users' filesystems that are themselves world-writable (such as /tmp) or mounted in a world-writable directory. An attacker could exploit this vulnerability to cause a denial of service to applications that use the affected file system.(CVE-2021-3996)",
+    "cves": [
+      {
+        "id": "CVE-2021-3996",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3996",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1495": {
+    "id": "openEuler-SA-2023-1495",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1495",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.(CVE-2023-3863)\r\n\r\nA use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4132)",
+    "cves": [
+      {
+        "id": "CVE-2023-4132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4132",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1076": {
+    "id": "openEuler-SA-2023-1076",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1076",
+    "title": "An update for lxc is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be created using the Control Group and Namespace features included in the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nlxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because \"Failed to open\" often indicates that a file does not exist, whereas \"does not refer to a network namespace path\" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that \"we will report back to the user that the open() failed but the user has no way of knowing why it failed\"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.(CVE-2022-47952)",
+    "cves": [
+      {
+        "id": "CVE-2022-47952",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47952",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1108": {
+    "id": "openEuler-SA-2023-1108",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1108",
+    "title": "An update for apr-util is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.(CVE-2022-25147)",
+    "cves": [
+      {
+        "id": "CVE-2022-25147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25147",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1307": {
+    "id": "openEuler-SA-2023-1307",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1307",
+    "title": "An update for webkit2gtk3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "WebKitGTK is a full-featured port of the WebKit rendering engine,suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. This package contains WebKit2 based WebKitGTK+ for GTK+ 3.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the webkitgtk package. An out of bounds read may be possible when processing malicious web content, which can lead to information disclosure.(CVE-2023-28204)",
+    "cves": [
+      {
+        "id": "CVE-2023-28204",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28204",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1329": {
+    "id": "openEuler-SA-2024-1329",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1329",
+    "title": "An update for python-yaql is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "YAQL (Yet Another Query Language) is an embeddable and extensible query language, that allows performing complex queries against arbitrary objects. It has a vast and comprehensive standard library of frequently used querying functions and can be extend even further with user-specified functions. YAQL is written in python and is distributed via PyPI.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.(CVE-2024-29156)",
+    "cves": [
+      {
+        "id": "CVE-2024-29156",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29156",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1653": {
+    "id": "openEuler-SA-2024-1653",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1653",
+    "title": "An update for python-idna is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "A library to support the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891 http://tools.ietf.org/html/rfc5891. This version of the protocol is often referred to as “IDNA2008” and can produce different results from the earlier standard from 2003.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.(CVE-2024-3651)",
+    "cves": [
+      {
+        "id": "CVE-2024-3651",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2077": {
+    "id": "openEuler-SA-2022-2077",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2077",
+    "title": "An update for grafana is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB and OpenTSDB.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.(CVE-2022-21702)",
+    "cves": [
+      {
+        "id": "CVE-2022-21702",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21702",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1686": {
+    "id": "openEuler-SA-2022-1686",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1686",
+    "title": "An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "PCRE2 is a re-working of the original PCRE1 library to provide an entirely new API. Since its initial release in 2015, there has been further development of the code and it now differs from PCRE1 in more than just the API. PCRE2 is written in C, and it has its own API. There are three sets of functions, one for the 8-bit library, which processes strings of bytes, one for the 16-bit library, which processes strings of 16-bit values, and one for the 32-bit library, which processes strings of 32-bit values. Unlike PCRE1, there are no C++ wrappers.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.(CVE-2022-1586)\n\nAn out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.(CVE-2022-1587)",
+    "cves": [
+      {
+        "id": "CVE-2022-1587",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1587",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1777": {
+    "id": "openEuler-SA-2023-1777",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1777",
+    "title": "An update for nginx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "NGINX is a free, open-source, high-performance HTTP server and reverse proxy,  as well as an IMAP/POP3 proxy server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1443": {
+    "id": "openEuler-SA-2021-1443",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1443",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.(CVE-2021-41771)",
+    "cves": [
+      {
+        "id": "CVE-2021-41771",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1651": {
+    "id": "openEuler-SA-2024-1651",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1651",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup\r\n\r\nFix Oops in dasd_alias_get_start_dev() function caused by the pavgroup\npointer being NULL.\r\n\r\nThe pavgroup pointer is checked on the entrance of the function but\nwithout the lcu->lock being held. Therefore there is a race window\nbetween dasd_alias_get_start_dev() and _lcu_update() which sets\npavgroup to NULL with the lcu->lock held.\r\n\r\nFix by checking the pavgroup pointer with lcu->lock held.(CVE-2022-48636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix hang during unmount when stopping a space reclaim worker\r\n\r\nOften when running generic/562 from fstests we can hang during unmount,\nresulting in a trace like this:\r\n\r\n  Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00\n  Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.\n  Sep 07 11:55:32 debian9 kernel:       Not tainted 6.0.0-rc2-btrfs-next-122 #1\n  Sep 07 11:55:32 debian9 kernel: \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  Sep 07 11:55:32 debian9 kernel: task:umount          state:D stack:    0 pid:49438 ppid: 25683 flags:0x00004000\n  Sep 07 11:55:32 debian9 kernel: Call Trace:\n  Sep 07 11:55:32 debian9 kernel:  <TASK>\n  Sep 07 11:55:32 debian9 kernel:  __schedule+0x3c8/0xec0\n  Sep 07 11:55:32 debian9 kernel:  ? rcu_read_lock_sched_held+0x12/0x70\n  Sep 07 11:55:32 debian9 kernel:  schedule+0x5d/0xf0\n  Sep 07 11:55:32 debian9 kernel:  schedule_timeout+0xf1/0x130\n  Sep 07 11:55:32 debian9 kernel:  ? lock_release+0x224/0x4a0\n  Sep 07 11:55:32 debian9 kernel:  ? lock_acquired+0x1a0/0x420\n  Sep 07 11:55:32 debian9 kernel:  ? trace_hardirqs_on+0x2c/0xd0\n  Sep 07 11:55:32 debian9 kernel:  __wait_for_common+0xac/0x200\n  Sep 07 11:55:32 debian9 kernel:  ? usleep_range_state+0xb0/0xb0\n  Sep 07 11:55:32 debian9 kernel:  __flush_work+0x26d/0x530\n  Sep 07 11:55:32 debian9 kernel:  ? flush_workqueue_prep_pwqs+0x140/0x140\n  Sep 07 11:55:32 debian9 kernel:  ? trace_clock_local+0xc/0x30\n  Sep 07 11:55:32 debian9 kernel:  __cancel_work_timer+0x11f/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  ? close_ctree+0x12b/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? __trace_bputs+0x10b/0x170\n  Sep 07 11:55:32 debian9 kernel:  close_ctree+0x152/0x5b3 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  ? evict_inodes+0x166/0x1c0\n  Sep 07 11:55:32 debian9 kernel:  generic_shutdown_super+0x71/0x120\n  Sep 07 11:55:32 debian9 kernel:  kill_anon_super+0x14/0x30\n  Sep 07 11:55:32 debian9 kernel:  btrfs_kill_super+0x12/0x20 [btrfs]\n  Sep 07 11:55:32 debian9 kernel:  deactivate_locked_super+0x2e/0xa0\n  Sep 07 11:55:32 debian9 kernel:  cleanup_mnt+0x100/0x160\n  Sep 07 11:55:32 debian9 kernel:  task_work_run+0x59/0xa0\n  Sep 07 11:55:32 debian9 kernel:  exit_to_user_mode_prepare+0x1a6/0x1b0\n  Sep 07 11:55:32 debian9 kernel:  syscall_exit_to_user_mode+0x16/0x40\n  Sep 07 11:55:32 debian9 kernel:  do_syscall_64+0x48/0x90\n  Sep 07 11:55:32 debian9 kernel:  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n  Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7\n  Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0\n  Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570\n  Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000\n  Sep 07 11:55:32 debian9 kernel:  </TASK>\r\n\r\nWhat happens is the following:\r\n\r\n1) The cleaner kthread tries to start a transaction to delete an unused\n   block group, but the metadata reservation can not be satisfied right\n   away, so a reservation ticket is created and it starts the async\n   metadata reclaim task (fs_info->async_reclaim_work);\r\n\r\n2) Writeback for all the filler inodes with an i_size of 2K starts\n   (generic/562 creates a lot of 2K files with the goal of filling\n   metadata space). We try to create an inline extent for them, but we\n   fail when trying to insert the inline extent with -ENOSPC (at\n   cow_file_range_inline()) - since this is not critical, we fallback\n   to non-inline mode (back to cow_file_range()), reserve extents\n---truncated---(CVE-2022-48664)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/imc-pmu: Add a null pointer check in update_events_in_group()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52675)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore: ram_core: fix possible overflow in persistent_ram_init_ecc()\r\n\r\nIn persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return\n64-bit value since persistent_ram_zone::buffer_size has type size_t which\nis derived from the 64-bit *unsigned long*, while the ecc_blocks variable\nthis value gets assigned to has (always 32-bit) *int* type.  Even if that\nvalue fits into *int* type, an overflow is still possible when calculating\nthe size_t typed ecc_total variable further below since there's no cast to\nany 64-bit type before multiplication.  Declaring the ecc_blocks variable\nas *size_t* should fix this mess...\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool.(CVE-2023-52685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\r\n\r\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\r\n\r\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-26825)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\r\n\r\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\r\n\r\nvmlinux   get_bitmap(b=75) + 712\n<net/netfilter/nf_conntrack_h323_asn1.c:0>\nvmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n<net/netfilter/nf_conntrack_h323_asn1.c:592>\nvmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n<net/netfilter/nf_conntrack_h323_asn1.c:576>\nvmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n<net/netfilter/nf_conntrack_h323_asn1.c:814>\nvmlinux   DecodeRasMessage() + 304\n<net/netfilter/nf_conntrack_h323_asn1.c:833>\nvmlinux   ras_help() + 684\n<net/netfilter/nf_conntrack_h323_main.c:1728>\nvmlinux   nf_confirm() + 188\n<net/netfilter/nf_conntrack_proto.c:137>\r\n\r\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.(CVE-2024-26851)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\r\n\r\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\r\n\r\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\r\n\r\n  18:26:22 executing program 1:\n  r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n  ...\n  connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\r\n\r\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\r\n\r\nSo, the scenario would be:\r\n\r\n  1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n      rds_tcp_listen_init().\n  2. syz-executor connect()s to it and creates a reqsk.\n  3. syz-executor exit()s immediately.\n  4. netns is dismantled.  [0]\n  5. reqsk timer is fired, and UAF happens while freeing reqsk.  [1]\n  6. listener is freed after RCU grace period.  [2]\r\n\r\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\r\n\r\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\r\n\r\nLet's apply the same fix for the global ehash.\r\n\r\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n     sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n     inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n     __sock_create (net/socket.c:1572)\n     rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n     rds_tcp_init_net (net/rds/tcp.c:577)\n     ops_init (net/core/net_namespace.c:137)\n     setup_net (net/core/net_namespace.c:340)\n     copy_net_ns (net/core/net_namespace.c:497)\n     create_new_namespaces (kernel/nsproxy.c:110)\n     unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n     ksys_unshare (kernel/fork.c:3429)\n     __x64_sys_unshare (kernel/fork.c:3496)\n     do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\r\n\r\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n </IRQ>\r\n\r\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---(CVE-2024-26865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\r\n\r\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\r\n\r\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\r\n\r\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\r\n\r\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.(CVE-2024-26901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\r\n\r\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\r\n\r\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\r\n\r\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\r\n\r\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\r\n\r\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.(CVE-2024-26903)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-26908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: inet_defrag: prevent sk release while still in use\r\n\r\nip_local_out() and other functions can pass skb->sk as function argument.\r\n\r\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\r\n\r\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\r\n\r\nEric Dumazet made an initial analysis of this bug.  Quoting Eric:\n  Calling ip_defrag() in output path is also implying skb_orphan(),\n  which is buggy because output path relies on sk not disappearing.\r\n\r\n  A relevant old patch about the issue was :\n  8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\r\n\r\n  [..]\r\n\r\n  net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n  inet socket, not an arbitrary one.\r\n\r\n  If we orphan the packet in ipvlan, then downstream things like FQ\n  packet scheduler will not work properly.\r\n\r\n  We need to change ip_defrag() to only use skb_orphan() when really\n  needed, ie whenever frag_list is going to be used.\r\n\r\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\r\n\r\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\r\n\r\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\r\n\r\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\r\n\r\nIn the former case, things work as before, skb is orphaned.  This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\r\n\r\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix garbage collector racing against connect()\r\n\r\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\r\n\r\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\r\n\r\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\r\n\r\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\r\n\r\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\r\n\r\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\r\n\r\n\t\t\tclose(V)\r\n\r\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\r\n\r\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\r\n\r\n\t\t\t\t\t\t// gc_candidates={L, V}\r\n\r\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\r\n\r\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\r\n\r\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\r\n\r\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.(CVE-2024-26923)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: check offset alignment in binder_get_object()\r\n\r\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\r\n\r\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\r\n\r\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.(CVE-2024-26926)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\r\n\r\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27395)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: gtp: Fix Use-After-Free in gtp_dellink\r\n\r\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\r\n\r\nTo prevent this, it should be changed to hlist_for_each_entry_safe.(CVE-2024-27396)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\r\n\r\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\r\n\r\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\r\n\r\nThe KASAN report triggered by POC is shown below:\r\n\r\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  <TASK>\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  </TASK>\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---(CVE-2024-27398)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\r\n\r\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\r\n\r\n  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n   _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n   copy_to_user include/linux/uaccess.h:191 [inline]\n   btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Uninit was created at:\n   __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n   __do_kmalloc_node mm/slub.c:3954 [inline]\n   __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n   kmalloc_node include/linux/slab.h:648 [inline]\n   kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n   kvmalloc include/linux/slab.h:766 [inline]\n   init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n   btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n   btrfs_ioctl+0x714/0x1260\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:904 [inline]\n   __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n   __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n   x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\n  Bytes 40-65535 of 65536 are uninitialized\n  Memory access of size 65536 starts at ffff888045a40000\r\n\r\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\r\n\r\nFix this by using kvzalloc() which zeroes out the memory on allocation.(CVE-2024-35849)",
+    "cves": [
+      {
+        "id": "CVE-2024-26825",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-35849",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1124": {
+    "id": "openEuler-SA-2024-1124",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1124",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.(CVE-2024-23638)",
+    "cves": [
+      {
+        "id": "CVE-2024-23638",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23638",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1535": {
+    "id": "openEuler-SA-2024-1535",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1535",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2021-47084)\r\n\r\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2021-47085)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()\r\n\r\nHulk Robot reported a panic in put_page_testzero() when testing\nmadvise() with MADV_SOFT_OFFLINE.  The BUG() is triggered when retrying\nget_any_page().  This is because we keep MF_COUNT_INCREASED flag in\nsecond try but the refcnt is not increased.\r\n\r\n    page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)\n    ------------[ cut here ]------------\n    kernel BUG at include/linux/mm.h:737!\n    invalid opcode: 0000 [#1] PREEMPT SMP\n    CPU: 5 PID: 2135 Comm: sshd Tainted: G    B             5.16.0-rc6-dirty #373\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n    RIP: release_pages+0x53f/0x840\n    Call Trace:\n      free_pages_and_swap_cache+0x64/0x80\n      tlb_flush_mmu+0x6f/0x220\n      unmap_page_range+0xe6c/0x12c0\n      unmap_single_vma+0x90/0x170\n      unmap_vmas+0xc4/0x180\n      exit_mmap+0xde/0x3a0\n      mmput+0xa3/0x250\n      do_exit+0x564/0x1470\n      do_group_exit+0x3b/0x100\n      __do_sys_exit_group+0x13/0x20\n      __x64_sys_exit_group+0x16/0x20\n      do_syscall_64+0x34/0x80\n      entry_SYSCALL_64_after_hwframe+0x44/0xae\n    Modules linked in:\n    ---[ end trace e99579b570fe0649 ]---\n    RIP: 0010:release_pages+0x53f/0x840(CVE-2021-47090)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module\r\n\r\nHi,\r\n\r\nWhen testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,\nthe system crashed.\r\n\r\nThe log as follows:\n[  141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a\n[  141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0\n[  141.087464] Oops: 0010 [#1] SMP NOPTI\n[  141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47\n[  141.088009] Workqueue: events 0xffffffffc09b3a40\n[  141.088009] RIP: 0010:0xffffffffc09b3a5a\n[  141.088009] Code: Bad RIP value.\n[  141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246\n[  141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000\n[  141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[  141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1\n[  141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700\n[  141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8\n[  141.088009] FS:  0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000\n[  141.088009] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0\n[  141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  141.088009] PKRU: 55555554\n[  141.088009] Call Trace:\n[  141.088009]  ? process_one_work+0x195/0x390\n[  141.088009]  ? worker_thread+0x30/0x390\n[  141.088009]  ? process_one_work+0x390/0x390\n[  141.088009]  ? kthread+0x10d/0x130\n[  141.088009]  ? kthread_flush_work_fn+0x10/0x10\n[  141.088009]  ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a\n[  200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0\n[  200.223464] Oops: 0010 [#1] SMP NOPTI\n[  200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46\n[  200.224008] Workqueue: events 0xffffffffc0b28a40\n[  200.224008] RIP: 0010:0xffffffffc0b28a5a\n[  200.224008] Code: Bad RIP value.\n[  200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246\n[  200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000\n[  200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\n[  200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5\n[  200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700\n[  200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8\n[  200.224008] FS:  0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000\n[  200.224008] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0\n[  200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  200.224008] PKRU: 55555554\n[  200.224008] Call Trace:\n[  200.224008]  ? process_one_work+0x195/0x390\n[  200.224008]  ? worker_thread+0x30/0x390\n[  200.224008]  ? process_one_work+0x390/0x390\n[  200.224008]  ? kthread+0x10d/0x130\n[  200.224008]  ? kthread_flush_work_fn+0x10/0x10\n[  200.224008]  ? ret_from_fork+0x35/0x40\n[  200.224008] kernel fault(0x1) notification starting on CPU 63\n[  200.224008] kernel fault(0x1) notification finished on CPU 63\n[  200.224008] CR2: ffffffffc0b28a5a\n[  200.224008] ---[ end trace c82a412d93f57412 ]---\r\n\r\nThe reason is as follows:\nT1: rmmod ipmi_si.\n    ->ipmi_unregister_smi()\n        -> ipmi_bmc_unregister()\n            -> __ipmi_bmc_unregister()\n                -> kref_put(&bmc->usecount, cleanup_bmc_device);\n                    -> schedule_work(&bmc->remove_work);\r\n\r\nT2: rmmod ipmi_msghandl\n---truncated---(CVE-2021-47100)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: caif: fix memory leak in cfusbl_device_notify\r\n\r\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error.(CVE-2021-47121)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fujitsu: fix potential null-ptr-deref\r\n\r\nIn fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer\nderef. To fix this, check the return value of ioremap and return -1\nto the caller in case of failure.(CVE-2021-47149)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\r\n\r\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \"2878\" log\nmessages.\r\n\r\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\r\n\r\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed.(CVE-2021-47183)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\r\n\r\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata->assigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.(CVE-2021-47194)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: tipd: Remove WARN_ON in tps6598x_block_read\r\n\r\nCalling tps6598x_block_read with a higher than allowed len can be\nhandled by just returning an error. There's no need to crash systems\nwith panic-on-warn enabled.(CVE-2021-47210)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/ram: Fix crash when setting number of cpus to an odd number\r\n\r\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n    addr of zone0 = BASE\n    addr of zone1 = BASE + zone_size\n    addr of zone2 = BASE + zone_size*2\n    ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\r\n\r\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.(CVE-2023-52619)\r\n\r\nA race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn't use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac->ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)",
+    "cves": [
+      {
+        "id": "CVE-2021-47210",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47210",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-27437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1509": {
+    "id": "openEuler-SA-2023-1509",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1509",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.(CVE-2023-3772)",
+    "cves": [
+      {
+        "id": "CVE-2023-3772",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3772",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1073": {
+    "id": "openEuler-SA-2021-1073",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1073",
+    "title": "An update for resteasy is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2016-9606)",
+    "cves": [
+      {
+        "id": "CVE-2016-9606",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9606",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1232": {
+    "id": "openEuler-SA-2024-1232",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1232",
+    "title": "An update for xerces-c is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. Xerces-C is faithful to the XML 1.0 recommendation and associated standards ( DOM 1.0, DOM 2.0. SAX 1.0, SAX 2.0, Namespaces).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311)",
+    "cves": [
+      {
+        "id": "CVE-2018-1311",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1311",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2004": {
+    "id": "openEuler-SA-2022-2004",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2004",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Go Programming Language\r\n\r\nSecurity Fix(es):\r\n\r\nReader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.(CVE-2022-2879)\r\n\r\nRequests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.(CVE-2022-2880)\r\n\r\nPrograms which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.(CVE-2022-41715)",
+    "cves": [
+      {
+        "id": "CVE-2022-41715",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1301": {
+    "id": "openEuler-SA-2024-1301",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1301",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix deadlock when cloning inline extents and using qgroups\r\n\r\nThere are a few exceptional cases where cloning an inline extent needs to\ncopy the inline extent data into a page of the destination inode.\r\n\r\nWhen this happens, we end up starting a transaction while having a dirty\npage for the destination inode and while having the range locked in the\ndestination's inode iotree too. Because when reserving metadata space\nfor a transaction we may need to flush existing delalloc in case there is\nnot enough free space, we have a mechanism in place to prevent a deadlock,\nwhich was introduced in commit 3d45f221ce627d (\"btrfs: fix deadlock when\ncloning inline extent and low on free metadata space\").\r\n\r\nHowever when using qgroups, a transaction also reserves metadata qgroup\nspace, which can also result in flushing delalloc in case there is not\nenough available space at the moment. When this happens we deadlock, since\nflushing delalloc requires locking the file range in the inode's iotree\nand the range was already locked at the very beginning of the clone\noperation, before attempting to start the transaction.\r\n\r\nWhen this issue happens, stack traces like the following are reported:\r\n\r\n  [72747.556262] task:kworker/u81:9   state:D stack:    0 pid:  225 ppid:     2 flags:0x00004000\n  [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)\n  [72747.556271] Call Trace:\n  [72747.556273]  __schedule+0x296/0x760\n  [72747.556277]  schedule+0x3c/0xa0\n  [72747.556279]  io_schedule+0x12/0x40\n  [72747.556284]  __lock_page+0x13c/0x280\n  [72747.556287]  ? generic_file_readonly_mmap+0x70/0x70\n  [72747.556325]  extent_write_cache_pages+0x22a/0x440 [btrfs]\n  [72747.556331]  ? __set_page_dirty_nobuffers+0xe7/0x160\n  [72747.556358]  ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]\n  [72747.556362]  ? update_group_capacity+0x25/0x210\n  [72747.556366]  ? cpumask_next_and+0x1a/0x20\n  [72747.556391]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.556394]  do_writepages+0x41/0xd0\n  [72747.556398]  __writeback_single_inode+0x39/0x2a0\n  [72747.556403]  writeback_sb_inodes+0x1ea/0x440\n  [72747.556407]  __writeback_inodes_wb+0x5f/0xc0\n  [72747.556410]  wb_writeback+0x235/0x2b0\n  [72747.556414]  ? get_nr_inodes+0x35/0x50\n  [72747.556417]  wb_workfn+0x354/0x490\n  [72747.556420]  ? newidle_balance+0x2c5/0x3e0\n  [72747.556424]  process_one_work+0x1aa/0x340\n  [72747.556426]  worker_thread+0x30/0x390\n  [72747.556429]  ? create_worker+0x1a0/0x1a0\n  [72747.556432]  kthread+0x116/0x130\n  [72747.556435]  ? kthread_park+0x80/0x80\n  [72747.556438]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n  [72747.566961] Call Trace:\n  [72747.566964]  __schedule+0x296/0x760\n  [72747.566968]  ? finish_wait+0x80/0x80\n  [72747.566970]  schedule+0x3c/0xa0\n  [72747.566995]  wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]\n  [72747.566999]  ? finish_wait+0x80/0x80\n  [72747.567024]  lock_extent_bits+0x37/0x90 [btrfs]\n  [72747.567047]  btrfs_invalidatepage+0x299/0x2c0 [btrfs]\n  [72747.567051]  ? find_get_pages_range_tag+0x2cd/0x380\n  [72747.567076]  __extent_writepage+0x203/0x320 [btrfs]\n  [72747.567102]  extent_write_cache_pages+0x2bb/0x440 [btrfs]\n  [72747.567106]  ? update_load_avg+0x7e/0x5f0\n  [72747.567109]  ? enqueue_entity+0xf4/0x6f0\n  [72747.567134]  extent_writepages+0x44/0xa0 [btrfs]\n  [72747.567137]  ? enqueue_task_fair+0x93/0x6f0\n  [72747.567140]  do_writepages+0x41/0xd0\n  [72747.567144]  __filemap_fdatawrite_range+0xc7/0x100\n  [72747.567167]  btrfs_run_delalloc_work+0x17/0x40 [btrfs]\n  [72747.567195]  btrfs_work_helper+0xc2/0x300 [btrfs]\n  [72747.567200]  process_one_work+0x1aa/0x340\n  [72747.567202]  worker_thread+0x30/0x390\n  [72747.567205]  ? create_worker+0x1a0/0x1a0\n  [72747.567208]  kthread+0x116/0x130\n  [72747.567211]  ? kthread_park+0x80/0x80\n  [72747.567214]  ret_from_fork+0x1f/0x30\r\n\r\n  [72747.569686] task:fsstress        state:D stack:    \n---truncated---(CVE-2021-46987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Defer the free of inner map when necessary\r\n\r\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops->map_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops->map_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\r\n\r\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.(CVE-2023-52447)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump\r\n\r\nSyzkaller has reported a NULL pointer dereference when accessing\nrgd->rd_rgl in gfs2_rgrp_dump().  This can happen when creating\nrgd->rd_gl fails in read_rindex_entry().  Add a NULL pointer check in\ngfs2_rgrp_dump() to prevent that.(CVE-2023-52448)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\r\n\r\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\r\n\r\nubi_gluebi_init\n  ubi_register_volume_notifier\n    ubi_enumerate_volumes\n      ubi_notify_all\n        gluebi_notify    nb->notifier_call()\n          gluebi_create\n            mtd_device_register\n              mtd_device_parse_register\n                add_mtd_device\n                  blktrans_notify_add   not->add()\n                    ftl_add_mtd         tr->add_mtd()\n                      scan_header\n                        mtd_read\n                          mtd_read_oob\n                            mtd_read_oob_std\n                              gluebi_read   mtd->read()\n                                gluebi->desc - NULL\r\n\r\nDetailed reproduction information available at the Link [1],\r\n\r\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\r\n\r\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.(CVE-2023-52449)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix accesses to uninit stack slots\r\n\r\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\r\n\r\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\r\n\r\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\r\n\r\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\r\n\r\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.(CVE-2023-52452)",
+    "cves": [
+      {
+        "id": "CVE-2023-52452",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1822": {
+    "id": "openEuler-SA-2024-1822",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1822",
+    "title": "An update for rubygem-rack is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers,  web frameworks, and software in between (the so-called middleware) into  a single method call.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\r\n\r\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
+    "cves": [
+      {
+        "id": "CVE-2024-26141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1279": {
+    "id": "openEuler-SA-2024-1279",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1279",
+    "title": "An update for gala-gopher is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "gala-gopher is a low-overhead eBPF-based probes framework\r\n\r\nSecurity Fix(es):\r\n\r\ngala-gopher 1.0.2组件中存在命令注入攻击漏洞(CVE-2024-24890)",
+    "cves": [
+      {
+        "id": "CVE-2024-24890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1719": {
+    "id": "openEuler-SA-2024-1719",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1719",
+    "title": "An update for python-PyMySQL is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "This package contains a pure-Python MySQL client library, based on PEP 249. Most public APIs are compatible with mysqlclient and MySQLdb.\r\n\r\nSecurity Fix(es):\r\n\r\nPyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.(CVE-2024-36039)",
+    "cves": [
+      {
+        "id": "CVE-2024-36039",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36039",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1786": {
+    "id": "openEuler-SA-2023-1786",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1786",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.(CVE-2023-3255)",
+    "cves": [
+      {
+        "id": "CVE-2023-3255",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3255",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1217": {
+    "id": "openEuler-SA-2023-1217",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1217",
+    "title": "An update for runc is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.(CVE-2023-28642)",
+    "cves": [
+      {
+        "id": "CVE-2023-28642",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1188": {
+    "id": "openEuler-SA-2021-1188",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1188",
+    "title": "An update for gnome-autoar is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Automatic archives creating and extracting library.\r\n\r\nSecurity Fix(es):\r\n\r\nautoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.(CVE-2021-28650)",
+    "cves": [
+      {
+        "id": "CVE-2021-28650",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28650",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1724": {
+    "id": "openEuler-SA-2022-1724",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1724",
+    "title": "An update for logrotate is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files.  Logrotate allows for the automatic rotation compression, removal and mailing of log files.logrotate  Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0.(CVE-2022-1348)",
+    "cves": [
+      {
+        "id": "CVE-2022-1348",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1348",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1756": {
+    "id": "openEuler-SA-2024-1756",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1756",
+    "title": "An update for wget is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3 and openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "GNU Wget is a free software package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nurl.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.(CVE-2024-38428)",
+    "cves": [
+      {
+        "id": "CVE-2024-38428",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38428",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1570": {
+    "id": "openEuler-SA-2022-1570",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1570",
+    "title": "An update for virglrenderer is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The virgil3d rendering library is a library used by qemu to implement 3D GPU support for the virtio GPU.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service via commands that attempt to launch a grid without previously providing a Compute Shader (CS).(CVE-2020-8002)\r\n\r\nA double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.(CVE-2020-8003)",
+    "cves": [
+      {
+        "id": "CVE-2020-8003",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8003",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1843": {
+    "id": "openEuler-SA-2024-1843",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1843",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt,  login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nThe iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n(CVE-2024-2961)",
+    "cves": [
+      {
+        "id": "CVE-2024-2961",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1132": {
+    "id": "openEuler-SA-2023-1132",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1132",
+    "title": "An update for rubygem-activerecord is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.(CVE-2022-44566)\r\n\r\nA vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.(CVE-2023-22794)",
+    "cves": [
+      {
+        "id": "CVE-2023-22794",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22794",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1430": {
+    "id": "openEuler-SA-2024-1430",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1430",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666)",
+    "cves": [
+      {
+        "id": "CVE-2023-0666",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1011": {
+    "id": "openEuler-SA-2023-1011",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1011",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21618)",
+    "cves": [
+      {
+        "id": "CVE-2022-21618",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21618",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1511": {
+    "id": "openEuler-SA-2023-1511",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1511",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.(CVE-2023-3772)\n\nA use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.(CVE-2023-3863)\n\nA use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4133)\n\nA use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2023-4147)",
+    "cves": [
+      {
+        "id": "CVE-2023-4147",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4147",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1319": {
+    "id": "openEuler-SA-2024-1319",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1319",
+    "title": "An update for edk2 is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\n\nEDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.\r\n\r\n(CVE-2022-36764)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45230)\r\n\r\n EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45232)\r\n\r\n EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\r\n\r\n(CVE-2023-45233)\r\n\r\n EDK2's Network Package is susceptible to a buffer overflow vulnerability when\r\n\r\n\r\n\r\n\r\n\r\nhandling Server ID option \r\n\r\n\r\n\r\n from a DHCPv6 proxy Advertise message. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality, Integrity and/or Availability.\r\n\r\n(CVE-2023-45235)",
+    "cves": [
+      {
+        "id": "CVE-2023-45235",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45235",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1441": {
+    "id": "openEuler-SA-2023-1441",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1441",
+    "title": "An update for cjose is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Implementation of JOSE for C/C++\n\nSecurity Fix(es):\n\nOpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec  says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).(CVE-2023-37464)",
+    "cves": [
+      {
+        "id": "CVE-2023-37464",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37464",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1062": {
+    "id": "openEuler-SA-2023-1062",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1062",
+    "title": "An update for opusfile is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The opusfile library provides seeking, decode, and playback of Opus streams in the Ogg container (.opus files) including over http(s) on posix and windows systems. opusfile depends on libopus and libogg.The included opusurl library for http(s) access depends on opusfile and openssl.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47021)",
+    "cves": [
+      {
+        "id": "CVE-2022-47021",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47021",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1795": {
+    "id": "openEuler-SA-2024-1795",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1795",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs\r\n\r\nIt is observed sometimes when tethering is used over NCM with Windows 11\nas host, at some instances, the gadget_giveback has one byte appended at\nthe end of a proper NTB. When the NTB is parsed, unwrap call looks for\nany leftover bytes in SKB provided by u_ether and if there are any pending\nbytes, it treats them as a separate NTB and parses it. But in case the\nsecond NTB (as per unwrap call) is faulty/corrupt, all the datagrams that\nwere parsed properly in the first NTB and saved in rx_list are dropped.\r\n\r\nAdding a few custom traces showed the following:\n[002] d..1  7828.532866: dwc3_gadget_giveback: ep1out:\nreq 000000003868811a length 1025/16384 zsI ==> 0\n[002] d..1  7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025\n[002] d..1  7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400\n[002] d..1  7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10\n[002] d..1  7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames\r\n\r\nIn this case, the giveback is of 1025 bytes and block length is 1024.\nThe rest 1 byte (which is 0x00) won't be parsed resulting in drop of\nall datagrams in rx_list.\r\n\r\nSame is case with packets of size 2048:\n[002] d..1  7828.557948: dwc3_gadget_giveback: ep1out:\nreq 0000000011dfd96e length 2049/16384 zsI ==> 0\n[002] d..1  7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1  7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800\r\n\r\nLecroy shows one byte coming in extra confirming that the byte is coming\nin from PC:\r\n\r\n Transfer 2959 - Bytes Transferred(1025)  Timestamp((18.524 843 590)\n - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)\n --- Packet 4063861\n       Data(1024 bytes)\n       Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)\n --- Packet 4063863\n       Data(1 byte)\n       Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)\r\n\r\nAccording to Windows driver, no ZLP is needed if wBlockLength is non-zero,\nbecause the non-zero wBlockLength has already told the function side the\nsize of transfer to be expected. However, there are in-market NCM devices\nthat rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.\nTo deal with such devices, it pads an extra 0 at end so the transfer is no\nlonger multiple of wMaxPacketSize.(CVE-2024-27405)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: flush pending destroy work before exit_net release\r\n\r\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\r\n\r\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\r\n\r\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991]  <TASK>\n[ 1360.547998]  dump_stack_lvl+0x53/0x70\n[ 1360.548014]  print_report+0xc4/0x610\n[ 1360.548026]  ? __virt_addr_valid+0xba/0x160\n[ 1360.548040]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176]  kasan_report+0xae/0xe0\n[ 1360.548189]  ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312]  nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577]  ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591]  process_one_work+0x2f1/0x670\n[ 1360.548610]  worker_thread+0x4d3/0x760\n[ 1360.548627]  ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640]  kthread+0x16b/0x1b0\n[ 1360.548653]  ? __pfx_kthread+0x10/0x10\n[ 1360.548665]  ret_from_fork+0x2f/0x50\n[ 1360.548679]  ? __pfx_kthread+0x10/0x10\n[ 1360.548690]  ret_from_fork_asm+0x1a/0x30\n[ 1360.548707]  </TASK>\r\n\r\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726]  kasan_save_stack+0x20/0x40\n[ 1360.548739]  kasan_save_track+0x14/0x30\n[ 1360.548750]  __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760]  __kmalloc_node+0x1f1/0x450\n[ 1360.548771]  nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883]  nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909]  nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927]  netlink_unicast+0x367/0x4f0\n[ 1360.548935]  netlink_sendmsg+0x34b/0x610\n[ 1360.548944]  ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953]  ___sys_sendmsg+0xc9/0x120\n[ 1360.548961]  __sys_sendmsg+0xbe/0x140\n[ 1360.548971]  do_syscall_64+0x55/0x120\n[ 1360.548982]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\r\n\r\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999]  kasan_save_stack+0x20/0x40\n[ 1360.549009]  kasan_save_track+0x14/0x30\n[ 1360.549019]  kasan_save_free_info+0x3b/0x60\n[ 1360.549028]  poison_slab_object+0x100/0x180\n[ 1360.549036]  __kasan_slab_free+0x14/0x30\n[ 1360.549042]  kfree+0xb6/0x260\n[ 1360.549049]  __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131]  nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221]  ops_exit_list+0x50/0xa0\n[ 1360.549229]  free_exit_list+0x101/0x140\n[ 1360.549236]  unregister_pernet_operations+0x107/0x160\n[ 1360.549245]  unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254]  nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345]  __do_sys_delete_module+0x253/0x370\n[ 1360.549352]  do_syscall_64+0x55/0x120\n[ 1360.549360]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\r\n\r\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349           list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350                   list_del(&flowtable->list);\n11351                   nft_use_dec(&table->use);\n11352                   nf_tables_flowtable_destroy(flowtable);\n11353           }\n11354           list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355                   list_del(&set->list);\n11356                   nft_use_dec(&table->use);\n11357                   if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358                           nft_map_deactivat\n---truncated---(CVE-2024-35899)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\r\n\r\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\r\n\r\n  alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n  ...\n  delivered_ce <<= (10 - dctcp_shift_g);\r\n\r\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\r\n\r\n  memcpy((void*)0x20000080,\n         \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n                /*flags=*/2ul, /*mode=*/0ul);\n  memcpy((void*)0x20000000, \"100\\000\", 4);\n  syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\r\n\r\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\r\n\r\nWith this patch:\r\n\r\n  # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  10\n  # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n  -bash: echo: write error: Invalid argument\r\n\r\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Add a timeout to acquire the command queue semaphore\r\n\r\nPrevent forced completion handling on an entry that has not yet been\nassigned an index, causing an out of bounds access on idx = -22.\nInstead of waiting indefinitely for the sem, blocking flow now waits for\nindex to be allocated or a sem acquisition timeout before beginning the\ntimer for FW completion.\r\n\r\nKernel log example:\nmlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion(CVE-2024-38556)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: prevent xattr node from overflowing the eraseblock\r\n\r\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\r\n\r\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\r\n\r\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\r\n\r\nThis breaks the filesystem and can lead to KASAN crashes such as:\r\n\r\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-38599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\r\n\r\nFor example, in the expression:\n\tvbo = 2 * vbo + skip(CVE-2024-38624)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\r\n\r\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\r\n\r\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.(CVE-2024-38630)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/ap: Fix crash in AP internal function modify_bitmap()\r\n\r\nA system crash like this\r\n\r\n  Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n  Fault in home space mode while using kernel ASCE.\n  AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n  Oops: 0038 ilc:3 [#1] PREEMPT SMP\n  Modules linked in: mlx5_ib ...\n  CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n  Hardware name: IBM 3931 A01 704 (LPAR)\n  Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n  R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n  000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n  000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n  000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n  Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a\n  0000014b75e7b600: 18b2                lr      %r11,%r2\n  #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616\n  >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)\n  0000014b75e7b60c: a7680001            lhi     %r6,1\n  0000014b75e7b610: 187b                lr      %r7,%r11\n  0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654\n  0000014b75e7b616: 18e9                lr      %r14,%r9\n  Call Trace:\n  [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n  ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n  [<0000014b75e7b758>] apmask_store+0x68/0x140\n  [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n  [<0000014b75598524>] vfs_write+0x1b4/0x448\n  [<0000014b7559894c>] ksys_write+0x74/0x100\n  [<0000014b7618a440>] __do_syscall+0x268/0x328\n  [<0000014b761a3558>] system_call+0x70/0x98\n  INFO: lockdep is turned off.\n  Last Breaking-Event-Address:\n  [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\r\n\r\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\r\n\r\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.(CVE-2024-38661)",
+    "cves": [
+      {
+        "id": "CVE-2024-38661",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38661",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1106": {
+    "id": "openEuler-SA-2024-1106",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1106",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.(CVE-2022-48619)\r\n\r\nA vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.(CVE-2024-0340)\r\n\r\nA denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel’s TIPC subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.(CVE-2024-0641)",
+    "cves": [
+      {
+        "id": "CVE-2024-0641",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0641",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1488": {
+    "id": "openEuler-SA-2024-1488",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1488",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nAn attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.(CVE-2023-45288)",
+    "cves": [
+      {
+        "id": "CVE-2023-45288",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1014": {
+    "id": "openEuler-SA-2023-1014",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1014",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nGuests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42329)",
+    "cves": [
+      {
+        "id": "CVE-2022-42329",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42329",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1294": {
+    "id": "openEuler-SA-2023-1294",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1294",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nTemplates containing actions in unquoted HTML attributes (e.g. \"attr={{.}}\") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.(CVE-2023-29400)\r\n\r\nAngle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.(CVE-2023-24539)\r\n\r\nNot all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.(CVE-2023-24540)",
+    "cves": [
+      {
+        "id": "CVE-2023-24540",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24540",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1076": {
+    "id": "openEuler-SA-2024-1076",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1076",
+    "title": "An update for mongo-c-driver is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.\r\n\r\n(CVE-2023-0437)",
+    "cves": [
+      {
+        "id": "CVE-2023-0437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1976": {
+    "id": "openEuler-SA-2023-1976",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1976",
+    "title": "An update for openssh is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Critical",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+    "cves": [
+      {
+        "id": "CVE-2023-51385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1902": {
+    "id": "openEuler-SA-2023-1902",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1902",
+    "title": "An update for vim is now available for openEuler-22.03-LTS",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.(CVE-2023-48706)",
+    "cves": [
+      {
+        "id": "CVE-2023-48706",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1589": {
+    "id": "openEuler-SA-2023-1589",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1589",
+    "title": "An update for hwloc is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "hwloc provides command line tools and a C API to obtain the hierarchical map of key computing elements, such as: NUMA memory nodes, shared caches, processor sockets, processor cores, and processor \"threads\". hwloc also gathers various attributes such as cache and memory information, and is portable across a variety of different operating systems and platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.(CVE-2022-47022)",
+    "cves": [
+      {
+        "id": "CVE-2022-47022",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47022",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1936": {
+    "id": "openEuler-SA-2023-1936",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1936",
+    "title": "An update for python-flask is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks.\r\n\r\nSecurity Fix(es):\r\n\r\nFlask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\r\n\r\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets `session.permanent = True`\n3. The application does not access or modify the session at any point during a request.\n4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\r\n\r\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.(CVE-2023-30861)",
+    "cves": [
+      {
+        "id": "CVE-2023-30861",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1439": {
+    "id": "openEuler-SA-2023-1439",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1439",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.(CVE-2023-1295)\n\nA heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.\n\n(CVE-2023-3090)\n\nA use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.(CVE-2023-3117)\n\nAn issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.(CVE-2023-3220)\n\nA flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.(CVE-2023-3338)\n\nA null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.(CVE-2023-3358)",
+    "cves": [
+      {
+        "id": "CVE-2023-3358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3358",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1386": {
+    "id": "openEuler-SA-2021-1386",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1386",
+    "title": "An update for ncurses is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The ncurses (new curses) library is a free software emulation of curses in System V Release 4.0 (SVr4), and more. It uses terminfo format, supports pads and color and multiple highlights and forms characters and function-key mapping, and has all the other SVr4-curses enhancements over BSD curses. SVr4 curses became the basis of X/Open Curses.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.(CVE-2021-39537)",
+    "cves": [
+      {
+        "id": "CVE-2021-39537",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1567": {
+    "id": "openEuler-SA-2024-1567",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1567",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsctp: use call_rcu to free endpoint\r\n\r\nThis patch is to delay the endpoint free by calling call_rcu() to fix\nanother use-after-free issue in sctp_sock_dump():\r\n\r\n  BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20\n  Call Trace:\n    __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218\n    lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844\n    __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]\n    _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168\n    spin_lock_bh include/linux/spinlock.h:334 [inline]\n    __lock_sock+0x203/0x350 net/core/sock.c:2253\n    lock_sock_nested+0xfe/0x120 net/core/sock.c:2774\n    lock_sock include/net/sock.h:1492 [inline]\n    sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324\n    sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091\n    sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527\n    __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049\n    inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065\n    netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244\n    __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352\n    netlink_dump_start include/linux/netlink.h:216 [inline]\n    inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170\n    __sock_diag_cmd net/core/sock_diag.c:232 [inline]\n    sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263\n    netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477\n    sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274\r\n\r\nThis issue occurs when asoc is peeled off and the old sk is freed after\ngetting it by asoc->base.sk and before calling lock_sock(sk).\r\n\r\nTo prevent the sk free, as a holder of the sk, ep should be alive when\ncalling lock_sock(). This patch uses call_rcu() and moves sock_put and\nep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to\nhold the ep under rcu_read_lock in sctp_transport_traverse_process().\r\n\r\nIf sctp_endpoint_hold() returns true, it means this ep is still alive\nand we have held it and can continue to dump it; If it returns false,\nit means this ep is dead and can be freed after rcu_read_unlock, and\nwe should skip it.\r\n\r\nIn sctp_sock_dump(), after locking the sk, if this ep is different from\ntsp->asoc->ep, it means during this dumping, this asoc was peeled off\nbefore calling lock_sock(), and the sk should be skipped; If this ep is\nthe same with tsp->asoc->ep, it means no peeloff happens on this asoc,\nand due to lock_sock, no peeloff will happen either until release_sock.\r\n\r\nNote that delaying endpoint free won't delay the port release, as the\nport release happens in sctp_endpoint_destroy() before calling call_rcu().\nAlso, freeing endpoint by call_rcu() makes it safe to access the sk by\nasoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().\r\n\r\nThanks Jones to bring this issue up.\r\n\r\nv1->v2:\n  - improve the changelog.\n  - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.(CVE-2021-46929)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix use-after-free in tw_timer_handler\r\n\r\nA real world panic issue was found as follow in Linux 5.4.\r\n\r\n    BUG: unable to handle page fault for address: ffffde49a863de28\n    PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0\n    RIP: 0010:tw_timer_handler+0x20/0x40\n    Call Trace:\n     <IRQ>\n     call_timer_fn+0x2b/0x120\n     run_timer_softirq+0x1ef/0x450\n     __do_softirq+0x10d/0x2b8\n     irq_exit+0xc7/0xd0\n     smp_apic_timer_interrupt+0x68/0x120\n     apic_timer_interrupt+0xf/0x20\r\n\r\nThis issue was also reported since 2017 in the thread [1],\nunfortunately, the issue was still can be reproduced after fixing\nDCCP.\r\n\r\nThe ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net\nnamespace is destroyed since tcp_sk_ops is registered befrore\nipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops\nin the list of pernet_list. There will be a use-after-free on\nnet->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net\nif there are some inflight time-wait timers.\r\n\r\nThis bug is not introduced by commit f2bf415cfed7 (\"mib: add net to\nNET_ADD_STATS_BH\") since the net_statistics is a global variable\ninstead of dynamic allocation and freeing. Actually, commit\n61a7e26028b9 (\"mib: put net statistics on struct net\") introduces\nthe bug since it put net statistics on struct net and free it when\nnet namespace is destroyed.\r\n\r\nMoving init_ipv4_mibs() to the front of tcp_init() to fix this bug\nand replace pr_crit() with panic() since continuing is meaningless\nwhen init_ipv4_mibs() fails.\r\n\r\n[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1(CVE-2021-46936)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: custom_method: fix potential use-after-free issue\r\n\r\nIn cm_write(), buf is always freed when reaching the end of the\nfunction.  If the requested count is less than table.length, the\nallocated buffer will be freed but subsequent calls to cm_write() will\nstill try to access it.\r\n\r\nRemove the unconditional kfree(buf) at the end of the function and\nset the buf to NULL in the -EINVAL error path to match the rest of\nfunction.(CVE-2021-46966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntun: avoid double free in tun_free_netdev\r\n\r\nAvoid double free in tun_free_netdev() by moving the\ndev->tstats and tun->security allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there's an error in register_netdevice() the destructor\nwill handle the frees.\r\n\r\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\r\n\r\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae(CVE-2021-47082)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: fix ltout double free on completion race\r\n\r\nAlways remove linked timeout on io_link_timeout_fn() from the master\nrequest link list, otherwise we may get use-after-free when first\nio_link_timeout_fn() puts linked timeout in the fail path, and then\nwill be found and put on master's free.(CVE-2021-47123)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Fix scsi_mode_sense() buffer length handling\r\n\r\nSeveral problems exist with scsi_mode_sense() buffer length handling:\r\n\r\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\r\n\r\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\r\n\r\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\r\n\r\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\r\n\r\nWhile at it, also fix the folowing:\r\n\r\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\r\n\r\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was.(CVE-2021-47182)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: tty_buffer: Fix the softlockup issue in flush_to_ldisc\r\n\r\nWhen running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup,\nwhich look like this one:\r\n\r\n  Workqueue: events_unbound flush_to_ldisc\n  Call trace:\n   dump_backtrace+0x0/0x1ec\n   show_stack+0x24/0x30\n   dump_stack+0xd0/0x128\n   panic+0x15c/0x374\n   watchdog_timer_fn+0x2b8/0x304\n   __run_hrtimer+0x88/0x2c0\n   __hrtimer_run_queues+0xa4/0x120\n   hrtimer_interrupt+0xfc/0x270\n   arch_timer_handler_phys+0x40/0x50\n   handle_percpu_devid_irq+0x94/0x220\n   __handle_domain_irq+0x88/0xf0\n   gic_handle_irq+0x84/0xfc\n   el1_irq+0xc8/0x180\n   slip_unesc+0x80/0x214 [slip]\n   tty_ldisc_receive_buf+0x64/0x80\n   tty_port_default_receive_buf+0x50/0x90\n   flush_to_ldisc+0xbc/0x110\n   process_one_work+0x1d4/0x4b0\n   worker_thread+0x180/0x430\n   kthread+0x11c/0x120\r\n\r\nIn the testcase pty04, The first process call the write syscall to send\ndata to the pty master. At the same time, the workqueue will do the\nflush_to_ldisc to pop data in a loop until there is no more data left.\nWhen the sender and workqueue running in different core, the sender sends\ndata fastly in full time which will result in workqueue doing work in loop\nfor a long time and occuring softlockup in flush_to_ldisc with kernel\nconfigured without preempt. So I add need_resched check and cond_resched\nin the flush_to_ldisc loop to avoid it.(CVE-2021-47185)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niavf: free q_vectors before queues in iavf_disable_vf\r\n\r\niavf_free_queues() clears adapter->num_active_queues, which\niavf_free_q_vectors() relies on, so swap the order of these two function\ncalls in iavf_disable_vf(). This resolves a panic encountered when the\ninterface is disabled and then later brought up again after PF\ncommunication is restored.(CVE-2021-47201)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()\r\n\r\nWhen parsing the txq list in lpfc_drain_txq(), the driver attempts to pass\nthe requests to the adapter. If such an attempt fails, a local \"fail_msg\"\nstring is set and a log message output.  The job is then added to a\ncompletions list for cancellation.\r\n\r\nProcessing of any further jobs from the txq list continues, but since\n\"fail_msg\" remains set, jobs are added to the completions list regardless\nof whether a wqe was passed to the adapter.  If successfully added to\ntxcmplq, jobs are added to both lists resulting in list corruption.\r\n\r\nFix by clearing the fail_msg string after adding a job to the completions\nlist. This stops the subsequent jobs from being added to the completions\nlist unless they had an appropriate failure.(CVE-2021-47203)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\r\n\r\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference.(CVE-2021-47211)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: advansys: Fix kernel pointer leak\r\n\r\nPointers should be printed with %p or %px rather than cast to 'unsigned\nlong' and printed with %lx.\r\n\r\nChange %lx to %p to print the hashed pointer.(CVE-2021-47216)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails\r\n\r\nCheck for a valid hv_vp_index array prior to derefencing hv_vp_index when\nsetting Hyper-V's TSC change callback.  If Hyper-V setup failed in\nhyperv_init(), the kernel will still report that it's running under\nHyper-V, but will have silently disabled nearly all functionality.\r\n\r\n  BUG: kernel NULL pointer dereference, address: 0000000000000010\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP\n  CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:set_hv_tscchange_cb+0x15/0xa0\n  Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08\n  ...\n  Call Trace:\n   kvm_arch_init+0x17c/0x280\n   kvm_init+0x31/0x330\n   vmx_init+0xba/0x13a\n   do_one_initcall+0x41/0x1c0\n   kernel_init_freeable+0x1f2/0x23b\n   kernel_init+0x16/0x120\n   ret_from_fork+0x22/0x30(CVE-2021-47217)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1>\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix race between mmput() and do_exit()\r\n\r\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\r\n\r\n  Task A            | Task B\n  ------------------+------------------\n  mmget_not_zero()  |\n                    |  do_exit()\n                    |    exit_mm()\n                    |      mmput()\n  mmput()           |\n    exit_mmap()     |\n      remove_vma()  |\n        fput()      |\r\n\r\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\r\n\r\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\r\n\r\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A.(CVE-2023-52609)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: scomp - fix req->dst buffer overflow\r\n\r\nThe req->dst buffer size should be checked before copying from the\nscomp_scratch->dst to avoid req->dst buffer overflow problem.(CVE-2023-52612)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: Drop support for ETH_P_TR_802_2.\r\n\r\nsyzbot reported an uninit-value bug below. [0]\r\n\r\nllc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2\n(0x0011), and syzbot abused the latter to trigger the bug.\r\n\r\n  write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', \"90e5dd\"}}}}, 0x16)\r\n\r\nllc_conn_handler() initialises local variables {saddr,daddr}.mac\nbased on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes\nthem to __llc_lookup().\r\n\r\nHowever, the initialisation is done only when skb->protocol is\nhtons(ETH_P_802_2), otherwise, __llc_lookup_established() and\n__llc_lookup_listener() will read garbage.\r\n\r\nThe missing initialisation existed prior to commit 211ed865108e\n(\"net: delete all instances of special processing for token ring\").\r\n\r\nIt removed the part to kick out the token ring stuff but forgot to\nclose the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv().\r\n\r\nLet's remove llc_tr_packet_type and complete the deprecation.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90\n __llc_lookup_established+0xe9d/0xf90\n __llc_lookup net/llc/llc_conn.c:611 [inline]\n llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\n __netif_receive_skb_one_core net/core/dev.c:5527 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641\n netif_receive_skb_internal net/core/dev.c:5727 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5786\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x8ef/0x1490 fs/read_write.c:584\n ksys_write+0x20f/0x4c0 fs/read_write.c:637\n __do_sys_write fs/read_write.c:649 [inline]\n __se_sys_write fs/read_write.c:646 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:646\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nLocal variable daddr created at:\n llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783\n llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206\r\n\r\nCPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023(CVE-2024-26635)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: make llc_ui_sendmsg() more robust against bonding changes\r\n\r\nsyzbot was able to trick llc_ui_sendmsg(), allocating an skb with no\nheadroom, but subsequently trying to push 14 bytes of Ethernet header [1]\r\n\r\nLike some others, llc_ui_sendmsg() releases the socket lock before\ncalling sock_alloc_send_skb().\nThen it acquires it again, but does not redo all the sanity checks\nthat were performed.\r\n\r\nThis fix:\r\n\r\n- Uses LL_RESERVED_SPACE() to reserve space.\n- Check all conditions again after socket lock is held again.\n- Do not account Ethernet header for mtu limitation.\r\n\r\n[1]\r\n\r\nskbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0\r\n\r\n kernel BUG at net/core/skbuff.c:193 !\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_panic net/core/skbuff.c:189 [inline]\n pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n lr : skb_panic net/core/skbuff.c:189 [inline]\n lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\nsp : ffff800096f97000\nx29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000\nx26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2\nx23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0\nx20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce\nx17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001\nx14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400\nx8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714\nx2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089\nCall trace:\n  skb_panic net/core/skbuff.c:189 [inline]\n  skb_under_panic+0x13c/0x140 net/core/skbuff.c:203\n  skb_push+0xf0/0x108 net/core/skbuff.c:2451\n  eth_header+0x44/0x1f8 net/ethernet/eth.c:83\n  dev_hard_header include/linux/netdevice.h:3188 [inline]\n  llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33\n  llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85\n  llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n  llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n  llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209\n  llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270\n  llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg net/socket.c:745 [inline]\n  sock_sendmsg+0x194/0x274 net/socket.c:767\n  splice_to_socket+0x7cc/0xd58 fs/splice.c:881\n  do_splice_from fs/splice.c:933 [inline]\n  direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142\n  splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088\n  do_splice_direct+0x20c/0x348 fs/splice.c:1194\n  do_sendfile+0x4bc/0xc70 fs/read_write.c:1254\n  __do_sys_sendfile64 fs/read_write.c:1322 [inline]\n  __se_sys_sendfile64 fs/read_write.c:1308 [inline]\n  __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308\n  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51\n  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136\n  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155\n  el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595\nCode: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)(CVE-2024-26636)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: add sanity checks to rx zerocopy\r\n\r\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\r\n\r\nThis patch adds to can_map_frag() these additional checks:\r\n\r\n- Page must not be a compound one.\n- page->mapping must be NULL.\r\n\r\nThis fixes the panic reported by ZhangPeng.\r\n\r\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\r\n\r\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n    &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n    0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n    0x181e42, 0x0)(CVE-2024-26640)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\r\n\r\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\r\n\r\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\r\n\r\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:461 [inline]\n  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n  netif_receive_skb_internal net/core/dev.c:5732 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n  slab_alloc_node mm/slub.c:3478 [inline]\n  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n  __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n  alloc_skb include/linux/skbuff.h:1286 [inline]\n  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n  tun_alloc_skb drivers/net/tun.c:1531 [inline]\n  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2084 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0x786/0x1200 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023(CVE-2024-26641)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nl2tp: pass correct message length to ip6_append_data\r\n\r\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\r\n\r\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\r\n\r\nHowever, the code which performed the calculation was incorrect:\r\n\r\n     ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\r\n\r\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\r\n\r\nAdd parentheses to correct the calculation in line with the original\nintent.(CVE-2024-26752)",
+    "cves": [
+      {
+        "id": "CVE-2024-26752",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2143": {
+    "id": "openEuler-SA-2022-2143",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2143",
+    "title": "An update for containerd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability.  It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.\r\n\r\nSecurity Fix(es):\r\n\r\ncontainerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.(CVE-2022-23471)",
+    "cves": [
+      {
+        "id": "CVE-2022-23471",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23471",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1038": {
+    "id": "openEuler-SA-2021-1038",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1038",
+    "title": "An update for php is now available for openEuler-20.03-LTS",
+    "severity": "Critical",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nWhen using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2020-7060)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-7060",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7060",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1043": {
+    "id": "openEuler-SA-2023-1043",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1043",
+    "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.(CVE-2022-4338)",
+    "cves": [
+      {
+        "id": "CVE-2022-4338",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4338",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1635": {
+    "id": "openEuler-SA-2022-1635",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1635",
+    "title": "An update for ncurses is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The ncurses (new curses) library is a free software emulation of curses in System V Release 4.0 (SVr4), and more. It uses terminfo format, supports pads and color and multiple highlights and forms characters and function-key mapping, and has all the other SVr4-curses enhancements over BSD curses. SVr4 curses became the basis of X/Open Curses.\r\n\r\nSecurity Fix(es):\r\n\nncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.(CVE-2022-29458)",
+    "cves": [
+      {
+        "id": "CVE-2022-29458",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1207": {
+    "id": "openEuler-SA-2023-1207",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1207",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nThe function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.(CVE-2023-0466)",
+    "cves": [
+      {
+        "id": "CVE-2023-0466",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1530": {
+    "id": "openEuler-SA-2022-1530",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1530",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.(CVE-2021-45115)\r\n\r\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.(CVE-2021-45116)\r\n\r\nStorage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.(CVE-2021-45452)\r\n\r\nThe debug template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.(CVE-2022-22818)\r\n\r\nAn issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.(CVE-2022-23833)",
+    "cves": [
+      {
+        "id": "CVE-2022-23833",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23833",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1828": {
+    "id": "openEuler-SA-2024-1828",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1828",
+    "title": "An update for vte291 is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Low",
+    "description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
+    "cves": [
+      {
+        "id": "CVE-2024-37535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1649": {
+    "id": "openEuler-SA-2022-1649",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1649",
+    "title": "An update for xmlgraphics-commons is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO. You will find components such as a PDF library, an RTF library, Graphics2D implementations that let you generate PDF and PostScript files, and much more. The Apache™ XML Graphics Commons project is part of the Apache™ Software Foundation, which is a wider community of users and developers of open source projects.\r\n\r\nSecurity Fix(es):\r\n\r\nApache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.(CVE-2020-11988)",
+    "cves": [
+      {
+        "id": "CVE-2020-11988",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11988",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1935": {
+    "id": "openEuler-SA-2022-1935",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1935",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.(CVE-2022-2520)",
+    "cves": [
+      {
+        "id": "CVE-2022-2520",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2520",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1574": {
+    "id": "openEuler-SA-2022-1574",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1574",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.(CVE-2021-44879)",
+    "cves": [
+      {
+        "id": "CVE-2021-44879",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44879",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1622": {
+    "id": "openEuler-SA-2024-1622",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1622",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Harden accesses to the reset domains\r\n\r\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\r\n\r\nAdd an internal consistency check before any such domains descriptors\naccesses.(CVE-2022-48655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nerofs: fix pcluster use-after-free on UP platforms\r\n\r\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\r\n\r\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\r\n\r\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n <TASK>\n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\r\n\r\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\r\n\r\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\r\n\r\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead.(CVE-2022-48674)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1>\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow timeout for anonymous sets\r\n\r\nNever used from userspace, disallow these parameters.(CVE-2023-52620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\r\n\r\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\r\n\r\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\r\n\r\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\r\n\r\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).(CVE-2023-52628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/ntfs3: Fix an NULL dereference bug\r\n\r\nThe issue here is when this is called from ntfs_load_attr_list().  The\n\"size\" comes from le32_to_cpu(attr->res.data_size) so it can't overflow\non a 64bit systems but on 32bit systems the \"+ 1023\" can overflow and\nthe result is zero.  This means that the kmalloc will succeed by\nreturning the ZERO_SIZE_PTR and then the memcpy() will crash with an\nOops on the next line.(CVE-2023-52631)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\num: time-travel: fix time corruption\r\n\r\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\r\n\r\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.(CVE-2023-52633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\r\n\r\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\r\n\r\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\r\n\r\n CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n  print_report+0xd3/0x620\n  ? kasan_complete_mode_report_info+0x7d/0x200\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  kasan_report+0xc2/0x100\n  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  __asan_load4+0x84/0xb0\n  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n  j1939_sk_recv+0x20b/0x320 [can_j1939]\n  ? __kasan_check_write+0x18/0x20\n  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n  ? j1939_simple_recv+0x69/0x280 [can_j1939]\n  ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n  j1939_can_recv+0x43f/0x580 [can_j1939]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  ? raw_rcv+0x42/0x3c0 [can_raw]\n  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n  can_rcv_filter+0x11f/0x350 [can]\n  can_receive+0x12f/0x190 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  can_rcv+0xdd/0x130 [can]\n  ? __pfx_can_rcv+0x10/0x10 [can]\n  __netif_receive_skb_one_core+0x13d/0x150\n  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n  ? __kasan_check_write+0x18/0x20\n  ? _raw_spin_lock_irq+0x8c/0xe0\n  __netif_receive_skb+0x23/0xb0\n  process_backlog+0x107/0x260\n  __napi_poll+0x69/0x310\n  net_rx_action+0x2a1/0x580\n  ? __pfx_net_rx_action+0x10/0x10\n  ? __pfx__raw_spin_lock+0x10/0x10\n  ? handle_irq_event+0x7d/0xa0\n  __do_softirq+0xf3/0x3f8\n  do_softirq+0x53/0x80\n  </IRQ>\n  <TASK>\n  __local_bh_enable_ip+0x6e/0x70\n  netif_rx+0x16b/0x180\n  can_send+0x32b/0x520 [can]\n  ? __pfx_can_send+0x10/0x10 [can]\n  ? __check_object_size+0x299/0x410\n  raw_sendmsg+0x572/0x6d0 [can_raw]\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  ? apparmor_socket_sendmsg+0x2f/0x40\n  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n  sock_sendmsg+0xef/0x100\n  sock_write_iter+0x162/0x220\n  ? __pfx_sock_write_iter+0x10/0x10\n  ? __rtnl_unlock+0x47/0x80\n  ? security_file_permission+0x54/0x320\n  vfs_write+0x6ba/0x750\n  ? __pfx_vfs_write+0x10/0x10\n  ? __fget_light+0x1ca/0x1f0\n  ? __rcu_read_unlock+0x5b/0x280\n  ksys_write+0x143/0x170\n  ? __pfx_ksys_write+0x10/0x10\n  ? __kasan_check_read+0x15/0x20\n  ? fpregs_assert_state_consistent+0x62/0x70\n  __x64_sys_write+0x47/0x60\n  do_syscall_64+0x60/0x90\n  ? do_syscall_64+0x6d/0x90\n  ? irqentry_exit+0x3f/0x50\n  ? exc_page_fault+0x79/0xf0\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Allocated by task 348:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_alloc_info+0x1f/0x30\n  __kasan_kmalloc+0xb5/0xc0\n  __kmalloc_node_track_caller+0x67/0x160\n  j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\r\n\r\n Freed by task 349:\n  kasan_save_stack+0x2a/0x50\n  kasan_set_track+0x29/0x40\n  kasan_save_free_info+0x2f/0x50\n  __kasan_slab_free+0x12e/0x1c0\n  __kmem_cache_free+0x1b9/0x380\n  kfree+0x7a/0x120\n  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n  __sys_setsockopt+0x15c/0x2f0\n  __x64_sys_setsockopt+0x6b/0x80\n  do_syscall_64+0x60/0x90\n  entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2023-52637)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: s390: vsie: fix race during shadow creation\r\n\r\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash.  This is due to the\nfact that we add gmap->private == kvm after creation:\r\n\r\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n                               struct vsie_page *vsie_page)\n{\n[...]\n        gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n        if (IS_ERR(gmap))\n                return PTR_ERR(gmap);\n        gmap->private = vcpu->kvm;\r\n\r\nLet children inherit the private field of the parent.(CVE-2023-52639)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\r\n\r\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\r\n\r\nLog of issue before change (with kernel parameter qos=0):\n    [  +5.112651] ------------[ cut here ]------------\n    [  +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n    [  +0.000044]  videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n    [  +0.000055]  usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n    [  +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G        W  O       6.6.7 #1-NixOS\n    [  +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n    [  +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n    [  +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n    [  +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n    [  +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n    [  +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n    [  +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n    [  +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n    [  +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n    [  +0.000001] FS:  0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n    [  +0.000001] CS:  0010 DS: 0\n---truncated---(CVE-2023-52644)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow anonymous set with timeout flag\r\n\r\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntracing: Ensure visibility when inserting an element into tracing_map\r\n\r\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\r\n\r\n $ while true; do\n     echo hist:key=id.syscall:val=hitcount > \\\n       /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n     cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n     sleep 0.001\n   done\n $ stress-ng --sysbadaddr $(nproc)\r\n\r\nThe warning looks as follows:\r\n\r\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G            E      6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626]  tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220]  hist_show+0x124/0x800\n[ 2911.195692]  seq_read_iter+0x1d4/0x4e8\n[ 2911.196193]  seq_read+0xe8/0x138\n[ 2911.196638]  vfs_read+0xc8/0x300\n[ 2911.197078]  ksys_read+0x70/0x108\n[ 2911.197534]  __arm64_sys_read+0x24/0x38\n[ 2911.198046]  invoke_syscall+0x78/0x108\n[ 2911.198553]  el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157]  do_el0_svc+0x28/0x40\n[ 2911.199613]  el0_svc+0x40/0x178\n[ 2911.200048]  el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621]  el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\r\n\r\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\r\n\r\nThe check for the presence of an element with a given key in this\nfunction is:\r\n\r\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\r\n\r\nThe write of a new entry is:\r\n\r\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\r\n\r\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---(CVE-2024-26645)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntunnels: fix out of bounds access when building IPv6 PMTU error\r\n\r\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\r\n\r\n  BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n  Read of size 4 at addr ffff88811d402c80 by task netperf/820\n  CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n  ...\n   kasan_report+0xd8/0x110\n   do_csum+0x220/0x240\n   csum_partial+0xc/0x20\n   skb_tunnel_check_pmtu+0xeb9/0x3280\n   vxlan_xmit_one+0x14c2/0x4080\n   vxlan_xmit+0xf61/0x5c00\n   dev_hard_start_xmit+0xfb/0x510\n   __dev_queue_xmit+0x7cd/0x32a0\n   br_dev_queue_push_xmit+0x39d/0x6a0\r\n\r\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.(CVE-2024-26665)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_limit: reject configurations that cause integer overflow\r\n\r\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\r\n\r\nIts better to reject this rather than having incorrect ratelimit.(CVE-2024-26668)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: flower: Fix chain template offload\r\n\r\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\r\n\r\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\r\n\r\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\r\n\r\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\r\n\r\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff  ..|......[......\n    01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff  ................\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab374e>] __kmalloc+0x4e/0x90\n    [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\n    [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0\n    [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0\n    [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00  @.......W.8.....\n    10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff  ..,m......,m....\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90\n    [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0\n    [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460\n    [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0\n    [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\r\n\r\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---(CVE-2024-26669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: read sk->sk_family once in inet_recv_error()\r\n\r\ninet_recv_error() is called without holding the socket lock.\r\n\r\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.(CVE-2024-26679)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: Fix DMA mapping for PTP hwts ring\r\n\r\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\r\n\r\nTrace:\n[  215.351607] ------------[ cut here ]------------\n[  215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[  215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[  215.581176] Call Trace:\n[  215.583632]  <TASK>\n[  215.585745]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.590114]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.594497]  ? debug_dma_free_coherent+0x196/0x210\n[  215.599305]  ? check_unmap+0xa6f/0x2360\n[  215.603147]  ? __warn+0xca/0x1d0\n[  215.606391]  ? check_unmap+0xa6f/0x2360\n[  215.610237]  ? report_bug+0x1ef/0x370\n[  215.613921]  ? handle_bug+0x3c/0x70\n[  215.617423]  ? exc_invalid_op+0x14/0x50\n[  215.621269]  ? asm_exc_invalid_op+0x16/0x20\n[  215.625480]  ? check_unmap+0xa6f/0x2360\n[  215.629331]  ? mark_lock.part.0+0xca/0xa40\n[  215.633445]  debug_dma_free_coherent+0x196/0x210\n[  215.638079]  ? __pfx_debug_dma_free_coherent+0x10/0x10\n[  215.643242]  ? slab_free_freelist_hook+0x11d/0x1d0\n[  215.648060]  dma_free_attrs+0x6d/0x130\n[  215.651834]  aq_ring_free+0x193/0x290 [atlantic]\n[  215.656487]  aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[  216.127540] ---[ end trace 6467e5964dd2640b ]---\n[  216.132160] DMA-API: Mapped at:\n[  216.132162]  debug_dma_alloc_coherent+0x66/0x2f0\n[  216.132165]  dma_alloc_attrs+0xf5/0x1b0\n[  216.132168]  aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[  216.132193]  aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[  216.132213]  aq_nic_init+0x4a1/0x760 [atlantic](CVE-2024-26680)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\r\n\r\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.(CVE-2024-26684)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix potential bug in end_buffer_async_write\r\n\r\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\r\n\r\nNilfs2 itself does not use end_buffer_async_write().  But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\r\n\r\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent.  However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device.  This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\r\n\r\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\r\n\r\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.(CVE-2024-26685)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\r\n\r\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\r\n\r\nE.g: Taking the following steps:\r\n\r\n     fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n     fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n     fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\r\n\r\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\r\n\r\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n         pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n         return -EINVAL;\n }\n return 0;\n ...\n ...\r\n\r\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\r\n\r\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\r\n\r\nCausing below Oops.\r\n\r\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\r\n\r\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel:  <TASK>\n kernel:  ? __die_body+0x1a/0x60\n kernel:  ? page_fault_oops+0x16f/0x4a0\n kernel:  ? search_bpf_extables+0x65/0x70\n kernel:  ? fixup_exception+0x22/0x310\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  ? asm_exc_page_fault+0x22/0x30\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel:  ? hugetlbfs_fill_super+0x28/0x1a0\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  vfs_get_super+0x40/0xa0\n kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel:  vfs_get_tree+0x25/0xd0\n kernel:  vfs_cmd_create+0x64/0xe0\n kernel:  __x64_sys_fsconfig+0x395/0x410\n kernel:  do_syscall_64+0x80/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---(CVE-2024-26688)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: prevent use-after-free in encode_cap_msg()\r\n\r\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\r\n\r\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\r\n\r\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.(CVE-2024-26689)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: fix data corruption in dsync block recovery for small block sizes\r\n\r\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache.  In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\r\n\r\nFix these issues by correcting this byte offset calculation on the page.(CVE-2024-26697)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nparisc: Fix random data corruption from exception handler\r\n\r\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\r\n\r\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\r\n\r\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\r\n\r\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.(CVE-2024-26706)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\r\n\r\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\r\n\r\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\r\n\r\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n <IRQ>\n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\r\n\r\nThis issue is also found in older kernels (at least up to 5.10).(CVE-2024-26707)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\r\n\r\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64().  On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\r\n\r\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\r\n\r\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\r\n\r\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)(CVE-2024-26720)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't drop extent_map for free space inode on write error\r\n\r\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\r\n\r\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n <TASK>\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again.  However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping.  Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\r\n\r\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping.  This is\nnormal for normal files, but the free space cache inode is special.  We\nalways expect the extent map to be correct.  Thus the second time\nthrough we end up with a bogus extent map.\r\n\r\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\r\n\r\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce.  With this patch in place we no longer panic\nwith my error injection test.(CVE-2024-26726)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narp: Prevent overflow in arp_req_get().\r\n\r\nsyzkaller reported an overflown write in arp_req_get(). [0]\r\n\r\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\r\n\r\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\r\n\r\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags.  We initialise the field just after the memcpy(), so it's\nnot a problem.\r\n\r\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\r\n\r\nTo avoid the overflow, let's limit the max length of memcpy().\r\n\r\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\r\n\r\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>(CVE-2024-26733)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\r\n\r\nMake an unregister in case of unsuccessful registration.(CVE-2024-26734)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix possible use-after-free and null-ptr-deref\r\n\r\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.(CVE-2024-26735)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: don't override retval if we already lost the skb\r\n\r\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\r\n\r\nMove the retval override to the error path which actually need it.(CVE-2024-26739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_mirred: use the backlog for mirred ingress\r\n\r\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\r\n\r\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\r\n\r\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.(CVE-2024-26740)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/qedr: Fix qedr_create_user_qp error flow\r\n\r\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\r\n\r\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--(CVE-2024-26743)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Support specifying the srpt_service_guid parameter\r\n\r\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76(CVE-2024-26744)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\r\n\r\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\r\n\r\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\r\n\r\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n      df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n      3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS:  00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0(CVE-2024-26754)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm-crypt: don't modify the data when using authenticated encryption\r\n\r\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\r\n\r\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\r\n\r\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/(CVE-2024-26763)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\r\n\r\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\r\n\r\n    Unable to handle kernel NULL pointer dereference at virtual\n  address 0000000000000008\n    Call trace:\n        complete+0x54/0x100\n        hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n        __handle_irq_event_percpu+0x64/0x1e0\n        handle_irq_event+0x7c/0x1cc(CVE-2024-26776)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix double-free on socket dismantle\r\n\r\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\r\n\r\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\r\n\r\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   <IRQ>\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   </IRQ>\n   <TASK>\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   </TASK>\r\n\r\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\r\n\r\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\r\n\r\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\r\n\r\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---(CVE-2024-26782)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\r\n\r\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\r\n\r\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\r\n\r\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\r\n\r\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.(CVE-2024-26787)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: dev-replace: properly validate device names\r\n\r\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\r\n\r\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\r\n\r\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).(CVE-2024-26791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix double free of anonymous device after snapshot creation failure\r\n\r\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\r\n\r\nThe steps that lead to this:\r\n\r\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n   and assign it to pending_snapshot->anon_dev;\r\n\r\n2) Then we call btrfs_commit_transaction() and end up at\n   transaction.c:create_pending_snapshot();\r\n\r\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n   number stored in pending_snapshot->anon_dev;\r\n\r\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n   btrfs_lookup_fs_root() returned a root - someone else did a lookup\n   of the new root already, which could some task doing backref walking;\r\n\r\n5) After that some error happens in the transaction commit path, and at\n   ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n   that we free again the same anonymous device number, which in the\n   meanwhile may have been reallocated somewhere else, because\n   pending_snapshot->anon_dev still has the same value as in step 1.\r\n\r\nRecently syzbot ran into this and reported the following trace:\r\n\r\n  ------------[ cut here ]------------\n  ida_free called for id=51 which is not allocated.\n  WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n  Modules linked in:\n  CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n  RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n  Code: 10 42 80 3c 28 (...)\n  RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n  RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n  RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n  RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n  R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n  R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n  FS:  00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n   create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n   create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n   btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n   create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n   btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n   btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n   __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n   btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n   btrfs_ioctl+0xa74/0xd40\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:871 [inline]\n   __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n   do_syscall_64+0xfb/0x240\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n  RIP: 0033:0x7fca3e67dda9\n  Code: 28 00 00 00 (...)\n  RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n  RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n   </TASK>\r\n\r\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---(CVE-2024-26792)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: Avoid potential use-after-free in hci_error_reset\r\n\r\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\r\n\r\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n   hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\r\n\r\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.(CVE-2024-26801)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ip_tunnel: prevent perpetual headroom growth\r\n\r\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\r\n\r\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n  __skb_pull(skb, skb_network_offset(skb));\r\n\r\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned.  IOW, we skb->data gets \"adjusted\" by a huge value.\r\n\r\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\r\n\r\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\r\n\r\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel.  The ipip encapsulation finds gre0 as next output device.\r\n\r\nThis results in the following pattern:\r\n\r\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\r\n\r\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\r\n\r\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\r\n\r\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\r\n\r\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\r\n\r\nThis repeats for every future packet:\r\n\r\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\r\n\r\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\r\n\r\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\r\n\r\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\r\n\r\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\r\n\r\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.(CVE-2024-26804)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\r\n\r\nsyzbot reported the following uninit-value access issue [1]:\r\n\r\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\r\n\r\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\r\n\r\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---(CVE-2024-26805)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\r\n\r\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list.(CVE-2024-26808)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\r\n\r\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\r\n\r\nThis fix requires:\r\n\r\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\r\n\r\nwhich came after:\r\n\r\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").(CVE-2024-26809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate payload size in ipc response\r\n\r\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.(CVE-2024-26811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Create persistent INTx handler\r\n\r\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\r\n\r\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\r\n\r\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.(CVE-2024-26812)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/fsl-mc: Block calling interrupt handler without trigger\r\n\r\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1.  The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger.  The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\r\n\r\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.(CVE-2024-26814)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: fix underflow in parse_server_interfaces()\r\n\r\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.(CVE-2024-26828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: ir_toy: fix a memleak in irtoy_tx\r\n\r\nWhen irtoy_command fails, buf should be freed since it is allocated by\nirtoy_tx, or there is a memleak.(CVE-2024-26829)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi: runtime: Fix potential overflow of soft-reserved region size\r\n\r\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.(CVE-2024-26843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme-fc: do not wait in vain when unloading module\r\n\r\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\r\n\r\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\r\n\r\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\r\n\r\nWhile at it, remove the unused nvme_fc_wq workqueue too.(CVE-2024-26846)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\r\n\r\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\r\n\r\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\r\n\r\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\r\n\r\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x167/0x540 mm/kasan/report.c:488\n  kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n  inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n  ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n  ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n  inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n </TASK>\r\n\r\nAllocated by task 23037:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:3981 [inline]\n  __kmalloc+0x22e/0x490 mm/slub.c:3994\n  kmalloc include/linux/slab.h:594 [inline]\n  kzalloc include/linux/slab.h:711 [inline]\n  fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n  ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n  ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n  inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x221/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n  ___sys_sendmsg net/socket.c:2638 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\r\n\r\nFreed by task 16:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n  poison_slab_object+0xa6/0xe0 m\n---truncated---(CVE-2024-26852)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\r\n\r\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.(CVE-2024-26855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/bnx2x: Prevent access to a freed page in page_pool\r\n\r\nFix race condition leading to system crash during EEH error handling\r\n\r\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\r\n\r\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\r\n\r\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\r\n\r\nTo solve this issue, we need to verify page pool allocations before\nfreeing.(CVE-2024-26859)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npacket: annotate data-races around ignore_outgoing\r\n\r\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\r\n\r\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\r\n\r\nsyzbot reported:\r\n\r\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\r\n\r\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\r\n\r\nvalue changed: 0x00 -> 0x01\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G        W          6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet(CVE-2024-26862)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhsr: Fix uninit-value access in hsr_get_node()\r\n\r\nKMSAN reported the following uninit-value access issue [1]:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\r\n\r\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\r\n\r\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.(CVE-2024-26863)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\r\n\r\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\r\n\r\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\r\n\r\n  18:26:22 executing program 1:\n  r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n  ...\n  connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\r\n\r\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\r\n\r\nSo, the scenario would be:\r\n\r\n  1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n      rds_tcp_listen_init().\n  2. syz-executor connect()s to it and creates a reqsk.\n  3. syz-executor exit()s immediately.\n  4. netns is dismantled.  [0]\n  5. reqsk timer is fired, and UAF happens while freeing reqsk.  [1]\n  6. listener is freed after RCU grace period.  [2]\r\n\r\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\r\n\r\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\r\n\r\nLet's apply the same fix for the global ehash.\r\n\r\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n     sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n     inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n     __sock_create (net/socket.c:1572)\n     rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n     rds_tcp_init_net (net/rds/tcp.c:577)\n     ops_init (net/core/net_namespace.c:137)\n     setup_net (net/core/net_namespace.c:340)\n     copy_net_ns (net/core/net_namespace.c:497)\n     create_new_namespaces (kernel/nsproxy.c:110)\n     unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n     ksys_unshare (kernel/fork.c:3429)\n     __x64_sys_unshare (kernel/fork.c:3496)\n     do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\r\n\r\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n </IRQ>\r\n\r\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---(CVE-2024-26865)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: fix to truncate meta inode pages forcely\r\n\r\nBelow race case can cause data corruption:\r\n\r\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t  - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n   due to lock failure or dirty|writeback\n   status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t  - load old data from meta_inode page\n\t\t\t\t\t  - f2fs_submit_page_write\n\t\t\t\t\t  : write old data to new blkaddr\r\n\r\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.(CVE-2024-26869)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\r\n\r\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\r\n\r\n  [   99.403778] kernel BUG at mm/usercopy.c:102!\n  [   99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  [   99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n  [   99.415827] Call trace:\n  [   99.415985]  usercopy_abort+0x70/0xa0\n  [   99.416227]  __check_heap_object+0x134/0x158\n  [   99.416505]  check_heap_object+0x150/0x188\n  [   99.416696]  __check_object_size.part.0+0x78/0x168\n  [   99.416886]  __check_object_size+0x28/0x40\n  [   99.417078]  listxattr+0x8c/0x120\n  [   99.417252]  path_listxattr+0x78/0xe0\n  [   99.417476]  __arm64_sys_listxattr+0x28/0x40\n  [   99.417723]  invoke_syscall+0x78/0x100\n  [   99.417929]  el0_svc_common.constprop.0+0x48/0xf0\n  [   99.418186]  do_el0_svc+0x24/0x38\n  [   99.418376]  el0_svc+0x3c/0x110\n  [   99.418554]  el0t_64_sync_handler+0x120/0x130\n  [   99.418788]  el0t_64_sync+0x194/0x198\n  [   99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\r\n\r\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\r\n\r\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.(CVE-2024-26870)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/srpt: Do not register event handler until srpt device is fully setup\r\n\r\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\r\n\r\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\r\n\r\nInstead, only register the event handler after srpt device initialization\nis complete.(CVE-2024-26872)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndm: call the resume method on internal suspend\r\n\r\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\r\n\r\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\r\n\r\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\r\n\r\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n<snip>\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS:  00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n <TASK>\n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n<snip>\n---[ end trace 0000000000000000 ]---(CVE-2024-26880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\r\n\r\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\r\n\r\n    | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n    | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n    | arm-scmi firmware:scmi: unable to communicate with SCMI\n    | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n    | Mem abort info:\n    |   ESR = 0x0000000096000004\n    |   EC = 0x25: DABT (current EL), IL = 32 bits\n    |   SET = 0, FnV = 0\n    |   EA = 0, S1PTW = 0\n    |   FSC = 0x04: level 0 translation fault\n    | Data abort info:\n    |   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n    |   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    |   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n    | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n    | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n    | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n    | Modules linked in:\n    | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n    | Hardware name: FVP Base RevC (DT)\n    | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    | pc : smc_chan_free+0x3c/0x6c\n    | lr : smc_chan_free+0x3c/0x6c\n    | Call trace:\n    |  smc_chan_free+0x3c/0x6c\n    |  idr_for_each+0x68/0xf8\n    |  scmi_cleanup_channels.isra.0+0x2c/0x58\n    |  scmi_probe+0x434/0x734\n    |  platform_probe+0x68/0xd8\n    |  really_probe+0x110/0x27c\n    |  __driver_probe_device+0x78/0x12c\n    |  driver_probe_device+0x3c/0x118\n    |  __driver_attach+0x74/0x128\n    |  bus_for_each_dev+0x78/0xe0\n    |  driver_attach+0x24/0x30\n    |  bus_add_driver+0xe4/0x1e8\n    |  driver_register+0x60/0x128\n    |  __platform_driver_register+0x28/0x34\n    |  scmi_driver_init+0x84/0xc0\n    |  do_one_initcall+0x78/0x33c\n    |  kernel_init_freeable+0x2b8/0x51c\n    |  kernel_init+0x24/0x130\n    |  ret_from_fork+0x10/0x20\n    | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n    | ---[ end trace 0000000000000000 ]---\r\n\r\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\r\n\r\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.(CVE-2024-26893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\r\n\r\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\r\n\r\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\r\n\r\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\r\n\r\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\r\n\r\n[...]\r\n\r\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\r\n\r\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\r\n\r\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\r\n\r\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n  safely modify the list as we go through each element. For each element,\n  remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n  sure it is safe to free the corresponding vif too (through\n  unregister_netdev)\r\n\r\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\r\n\r\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/(CVE-2024-26895)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wfx: fix memory leak when starting AP\r\n\r\nKmemleak reported this error:\r\n\r\n    unreferenced object 0xd73d1180 (size 184):\n      comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n        00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00  ................\n      backtrace:\n        [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n        [<127bdd74>] __alloc_skb+0x144/0x170\n        [<fb8a5e38>] __netdev_alloc_skb+0x50/0x180\n        [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n        [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n        [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n        [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n        [<a4a661cd>] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n        [<47bd8b68>] genl_rcv_msg+0x198/0x378\n        [<453ef796>] netlink_rcv_skb+0xd0/0x130\n        [<6b7c977a>] genl_rcv+0x34/0x44\n        [<66b2d04d>] netlink_unicast+0x1b4/0x258\n        [<f965b9b6>] netlink_sendmsg+0x1e8/0x428\n        [<aadb8231>] ____sys_sendmsg+0x1e0/0x274\n        [<d2b5212d>] ___sys_sendmsg+0x80/0xb4\n        [<69954f45>] __sys_sendmsg+0x64/0xa8\n    unreferenced object 0xce087000 (size 1024):\n      comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n      hex dump (first 32 bytes):\n        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n        10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............\n      backtrace:\n        [<9a993714>] __kmalloc_track_caller+0x230/0x600\n        [<f83ea192>] kmalloc_reserve.constprop.0+0x30/0x74\n        [<a2c61343>] __alloc_skb+0xa0/0x170\n        [<fb8a5e38>] __netdev_alloc_skb+0x50/0x180\n        [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n        [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n        [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n        [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n        [<a4a661cd>] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n        [<47bd8b68>] genl_rcv_msg+0x198/0x378\n        [<453ef796>] netlink_rcv_skb+0xd0/0x130\n        [<6b7c977a>] genl_rcv+0x34/0x44\n        [<66b2d04d>] netlink_unicast+0x1b4/0x258\n        [<f965b9b6>] netlink_sendmsg+0x1e8/0x428\n        [<aadb8231>] ____sys_sendmsg+0x1e0/0x274\n        [<d2b5212d>] ___sys_sendmsg+0x80/0xb4\r\n\r\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.(CVE-2024-26896)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\r\n\r\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\r\n\r\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\r\n\r\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).(CVE-2024-26897)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\r\n\r\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\r\n\r\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\r\n\r\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.(CVE-2024-26917)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet: inet_defrag: prevent sk release while still in use\r\n\r\nip_local_out() and other functions can pass skb->sk as function argument.\r\n\r\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\r\n\r\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\r\n\r\nEric Dumazet made an initial analysis of this bug.  Quoting Eric:\n  Calling ip_defrag() in output path is also implying skb_orphan(),\n  which is buggy because output path relies on sk not disappearing.\r\n\r\n  A relevant old patch about the issue was :\n  8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\r\n\r\n  [..]\r\n\r\n  net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n  inet socket, not an arbitrary one.\r\n\r\n  If we orphan the packet in ipvlan, then downstream things like FQ\n  packet scheduler will not work properly.\r\n\r\n  We need to change ip_defrag() to only use skb_orphan() when really\n  needed, ie whenever frag_list is going to be used.\r\n\r\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\r\n\r\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\r\n\r\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\r\n\r\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\r\n\r\nIn the former case, things work as before, skb is orphaned.  This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\r\n\r\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\r\n\r\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.(CVE-2024-26922)",
+    "cves": [
+      {
+        "id": "CVE-2024-26811",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811",
+        "severity": "High"
+      },
+      {
+        "id": "CVE-2024-26922",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1585": {
+    "id": "openEuler-SA-2023-1585",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1585",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-1206)\r\n\r\nA buffer overrun vulnerability was found in the netback driver in Xen due to an unusual split packet. This flaw allows an unprivileged guest to cause a denial of service (DoS) of the host by sending network packets to the backend, causing the backend to crash.(CVE-2023-34319)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the relationship between the command payload size and the RFC1002 length specification, leading to an out-of-bounds read.(CVE-2023-38432)\r\n\r\n(CVE-2023-3867)\r\n\r\nAn issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.(CVE-2023-40283)\r\n\r\nA flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (\"tun: tun_chr_open(): correctly initialize socket uid\"), - 66b2c338adce (\"tap: tap_open(): correctly initialize socket uid\"), pass \"inode->i_uid\" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.(CVE-2023-4194)\r\n\r\nA flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.(CVE-2023-4389)",
+    "cves": [
+      {
+        "id": "CVE-2023-4389",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4389",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1363": {
+    "id": "openEuler-SA-2024-1363",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1363",
+    "title": "An update for telnet is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. The package includes a remote login client program for telnet and a server daemon.\r\n\r\nSecurity Fix(es):\r\n\r\ntelnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028)",
+    "cves": [
+      {
+        "id": "CVE-2022-39028",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1154": {
+    "id": "openEuler-SA-2021-1154",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1154",
+    "title": "An update for python-pygments is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.(CVE-2021-27291)\r\n\r\nAn infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.(CVE-2021-20270)",
+    "cves": [
+      {
+        "id": "CVE-2021-20270",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20270",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1119": {
+    "id": "openEuler-SA-2021-1119",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1119",
+    "title": "An update for openldap is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.(CVE-2021-27212)",
+    "cves": [
+      {
+        "id": "CVE-2021-27212",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27212",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1785": {
+    "id": "openEuler-SA-2024-1785",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1785",
+    "title": "An update for squid is now available for openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.(CVE-2024-37894)",
+    "cves": [
+      {
+        "id": "CVE-2024-37894",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37894",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1303": {
+    "id": "openEuler-SA-2023-1303",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1303",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.(CVE-2020-36694)\n\nA use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.(CVE-2022-1280)",
+    "cves": [
+      {
+        "id": "CVE-2022-1280",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1280",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1300": {
+    "id": "openEuler-SA-2023-1300",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1300",
+    "title": "An update for cpio is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\ncpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.(CVE-2015-1197)",
+    "cves": [
+      {
+        "id": "CVE-2015-1197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1197",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1899": {
+    "id": "openEuler-SA-2022-1899",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1899",
+    "title": "An update for linux-sgx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification.\r\n\r\nSecurity Fix(es):\r\n\r\nIn addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068)\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)",
+    "cves": [
+      {
+        "id": "CVE-2022-2097",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1614": {
+    "id": "openEuler-SA-2024-1614",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1614",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This package provides base tools, such as string, xml, and network handling.\r\n\r\nSecurity Fix(es):\r\n\r\nQt 6 through 6.6 was discovered to contain a NULL pointer dereference via the function QXcbConnection::initializeAllAtoms(). NOTE: this is disputed because it is not expected that an X application should continue to run when there is arbitrary anomalous behavior from the X server.(CVE-2023-45935)",
+    "cves": [
+      {
+        "id": "CVE-2023-45935",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45935",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1954": {
+    "id": "openEuler-SA-2022-1954",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1954",
+    "title": "An update for mod_security is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.(CVE-2021-42717)",
+    "cves": [
+      {
+        "id": "CVE-2021-42717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42717",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1425": {
+    "id": "openEuler-SA-2023-1425",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1425",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).\n\n(CVE-2023-3389)",
+    "cves": [
+      {
+        "id": "CVE-2023-3389",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1194": {
+    "id": "openEuler-SA-2024-1194",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1194",
+    "title": "An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24814)",
+    "cves": [
+      {
+        "id": "CVE-2024-24814",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24814",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1620": {
+    "id": "openEuler-SA-2024-1620",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1620",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Harden accesses to the reset domains\r\n\r\nAccessing reset domains descriptors by the index upon the SCMI drivers\nrequests through the SCMI reset operations interface can potentially\nlead to out-of-bound violations if the SCMI driver misbehave.\r\n\r\nAdd an internal consistency check before any such domains descriptors\naccesses.(CVE-2022-48655)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: hub: Guard against accesses to uninitialized BOS descriptors\r\n\r\nMany functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h\naccess fields inside udev->bos without checking if it was allocated and\ninitialized. If usb_get_bos_descriptor() fails for whatever\nreason, udev->bos will be NULL and those accesses will result in a\ncrash:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000018\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1>\nHardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:hub_port_reset+0x193/0x788\nCode: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9\nRSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310\nRDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840\nRBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0\nCall Trace:\nhub_event+0x73f/0x156e\n? hub_activate+0x5b7/0x68f\nprocess_one_work+0x1a2/0x487\nworker_thread+0x11a/0x288\nkthread+0x13a/0x152\n? process_one_work+0x487/0x487\n? kthread_associate_blkcg+0x70/0x70\nret_from_fork+0x1f/0x30\r\n\r\nFall back to a default behavior if the BOS descriptor isn't accessible\nand skip all the functionalities that depend on it: LPM support checks,\nSuper Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock/rnbd-srv: Check for unlikely string overflow\r\n\r\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\r\n\r\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                                                   ^~\nIn function 'rnbd_srv_get_full_path',\n    inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n  616 |                 snprintf(full_path, PATH_MAX, \"%s/%s\",\n      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n  617 |                          dev_search_path, dev_name);\n      |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).(CVE-2023-52618)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: disallow timeout for anonymous sets\r\n\r\nNever used from userspace, disallow these parameters.(CVE-2023-52620)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nftables: exthdr: fix 4-byte stack OOB write\r\n\r\nIf priv->len is a multiple of 4, then dst[len / 4] can write past\nthe destination array which leads to stack corruption.\r\n\r\nThis construct is necessary to clean the remainder of the register\nin case ->len is NOT a multiple of the register size, so make it\nconditional just like nft_payload.c does.\r\n\r\nThe bug was added in 4.1 cycle and then copied/inherited when\ntcp/sctp and ip option support was added.\r\n\r\nBug reported by Zero Day Initiative project (ZDI-CAN-21950,\nZDI-CAN-21951, ZDI-CAN-21961).(CVE-2023-52628)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: rc: bpf attach/detach requires write permission\r\n\r\nNote that bpf attach/detach also requires CAP_NET_ADMIN.(CVE-2023-52642)\r\n\r\nA flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nft_limit: reject configurations that cause integer overflow\r\n\r\nReject bogus configs where internal token counter wraps around.\nThis only occurs with very very large requests, such as 17gbyte/s.\r\n\r\nIts better to reject this rather than having incorrect ratelimit.(CVE-2024-26668)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: flower: Fix chain template offload\r\n\r\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\r\n\r\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\r\n\r\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\r\n\r\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\r\n\r\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff  ..|......[......\n    01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff  ................\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab374e>] __kmalloc+0x4e/0x90\n    [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\n    [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0\n    [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0\n    [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n  comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n  hex dump (first 32 bytes):\n    40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00  @.......W.8.....\n    10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff  ..,m......,m....\n  backtrace:\n    [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320\n    [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90\n    [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0\n    [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460\n    [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0\n    [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n    [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180\n    [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280\n    [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340\n    [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0\n    [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170\n    [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0\n    [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440\n    [<ffffffff83ac6270>] netlink_unicast+0x540/0x820\n    [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0\n    [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80\r\n\r\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---(CVE-2024-26669)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-mq: fix IO hang from sbitmap wakeup race\r\n\r\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\r\n\r\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\r\n\r\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\r\n\r\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n       \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n        \t--ioengine=libaio\r\n\r\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.(CVE-2024-26671)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: atlantic: Fix DMA mapping for PTP hwts ring\r\n\r\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\r\n\r\nTrace:\n[  215.351607] ------------[ cut here ]------------\n[  215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[  215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[  215.581176] Call Trace:\n[  215.583632]  <TASK>\n[  215.585745]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.590114]  ? show_trace_log_lvl+0x1c4/0x2df\n[  215.594497]  ? debug_dma_free_coherent+0x196/0x210\n[  215.599305]  ? check_unmap+0xa6f/0x2360\n[  215.603147]  ? __warn+0xca/0x1d0\n[  215.606391]  ? check_unmap+0xa6f/0x2360\n[  215.610237]  ? report_bug+0x1ef/0x370\n[  215.613921]  ? handle_bug+0x3c/0x70\n[  215.617423]  ? exc_invalid_op+0x14/0x50\n[  215.621269]  ? asm_exc_invalid_op+0x16/0x20\n[  215.625480]  ? check_unmap+0xa6f/0x2360\n[  215.629331]  ? mark_lock.part.0+0xca/0xa40\n[  215.633445]  debug_dma_free_coherent+0x196/0x210\n[  215.638079]  ? __pfx_debug_dma_free_coherent+0x10/0x10\n[  215.643242]  ? slab_free_freelist_hook+0x11d/0x1d0\n[  215.648060]  dma_free_attrs+0x6d/0x130\n[  215.651834]  aq_ring_free+0x193/0x290 [atlantic]\n[  215.656487]  aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[  216.127540] ---[ end trace 6467e5964dd2640b ]---\n[  216.132160] DMA-API: Mapped at:\n[  216.132162]  debug_dma_alloc_coherent+0x66/0x2f0\n[  216.132165]  dma_alloc_attrs+0xf5/0x1b0\n[  216.132168]  aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[  216.132193]  aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[  216.132213]  aq_nic_init+0x4a1/0x760 [atlantic](CVE-2024-26680)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\r\n\r\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\r\n\r\nE.g: Taking the following steps:\r\n\r\n     fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n     fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n     fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\r\n\r\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\r\n\r\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n         pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n         return -EINVAL;\n }\n return 0;\n ...\n ...\r\n\r\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\r\n\r\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\r\n\r\nCausing below Oops.\r\n\r\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\r\n\r\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel:  <TASK>\n kernel:  ? __die_body+0x1a/0x60\n kernel:  ? page_fault_oops+0x16f/0x4a0\n kernel:  ? search_bpf_extables+0x65/0x70\n kernel:  ? fixup_exception+0x22/0x310\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  ? asm_exc_page_fault+0x22/0x30\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel:  ? hugetlbfs_fill_super+0x28/0x1a0\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  vfs_get_super+0x40/0xa0\n kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel:  vfs_get_tree+0x25/0xd0\n kernel:  vfs_cmd_create+0x64/0xe0\n kernel:  __x64_sys_fsconfig+0x395/0x410\n kernel:  do_syscall_64+0x80/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---(CVE-2024-26688)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: prevent use-after-free in encode_cap_msg()\r\n\r\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\r\n\r\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\r\n\r\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.(CVE-2024-26689)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: dev-replace: properly validate device names\r\n\r\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\r\n\r\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\r\n\r\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).(CVE-2024-26791)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: fix double free of anonymous device after snapshot creation failure\r\n\r\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\r\n\r\nThe steps that lead to this:\r\n\r\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n   and assign it to pending_snapshot->anon_dev;\r\n\r\n2) Then we call btrfs_commit_transaction() and end up at\n   transaction.c:create_pending_snapshot();\r\n\r\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n   number stored in pending_snapshot->anon_dev;\r\n\r\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n   btrfs_lookup_fs_root() returned a root - someone else did a lookup\n   of the new root already, which could some task doing backref walking;\r\n\r\n5) After that some error happens in the transaction commit path, and at\n   ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n   that we free again the same anonymous device number, which in the\n   meanwhile may have been reallocated somewhere else, because\n   pending_snapshot->anon_dev still has the same value as in step 1.\r\n\r\nRecently syzbot ran into this and reported the following trace:\r\n\r\n  ------------[ cut here ]------------\n  ida_free called for id=51 which is not allocated.\n  WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n  Modules linked in:\n  CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n  RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n  Code: 10 42 80 3c 28 (...)\n  RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n  RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n  RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n  RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n  R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n  R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n  FS:  00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n   create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n   create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n   btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n   create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n   btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n   btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n   __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n   btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n   btrfs_ioctl+0xa74/0xd40\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:871 [inline]\n   __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n   do_syscall_64+0xfb/0x240\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n  RIP: 0033:0x7fca3e67dda9\n  Code: 28 00 00 00 (...)\n  RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n  RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n   </TASK>\r\n\r\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---(CVE-2024-26792)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: validate payload size in ipc response\r\n\r\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.(CVE-2024-26811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Create persistent INTx handler\r\n\r\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\r\n\r\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those.  The igate mutex cannot be acquired from the\natomic context of the eventfd wake function.  Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\r\n\r\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd.  Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.(CVE-2024-26812)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namdkfd: use calloc instead of kzalloc to avoid integer overflow\r\n\r\nThis uses calloc instead of doing the multiplication which might\noverflow.(CVE-2024-26817)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncifs: fix underflow in parse_server_interfaces()\r\n\r\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.(CVE-2024-26828)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/hfi1: Fix a memleak in init_credit_return\r\n\r\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.(CVE-2024-26839)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncachefiles: fix memory leak in cachefiles_add_cache()\r\n\r\nThe following memory leak was reported after unbinding /dev/cachefiles:\r\n\r\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n  comm \"cachefilesd2\", pid 680, jiffies 4294881224\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc ea38a44b):\n    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\r\n\r\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.(CVE-2024-26840)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nefi: runtime: Fix potential overflow of soft-reserved region size\r\n\r\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.(CVE-2024-26843)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\r\n\r\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.(CVE-2024-26855)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\r\n\r\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\r\n\r\n  [   99.403778] kernel BUG at mm/usercopy.c:102!\n  [   99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  [   99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n  [   99.415827] Call trace:\n  [   99.415985]  usercopy_abort+0x70/0xa0\n  [   99.416227]  __check_heap_object+0x134/0x158\n  [   99.416505]  check_heap_object+0x150/0x188\n  [   99.416696]  __check_object_size.part.0+0x78/0x168\n  [   99.416886]  __check_object_size+0x28/0x40\n  [   99.417078]  listxattr+0x8c/0x120\n  [   99.417252]  path_listxattr+0x78/0xe0\n  [   99.417476]  __arm64_sys_listxattr+0x28/0x40\n  [   99.417723]  invoke_syscall+0x78/0x100\n  [   99.417929]  el0_svc_common.constprop.0+0x48/0xf0\n  [   99.418186]  do_el0_svc+0x24/0x38\n  [   99.418376]  el0_svc+0x3c/0x110\n  [   99.418554]  el0t_64_sync_handler+0x120/0x130\n  [   99.418788]  el0t_64_sync+0x194/0x198\n  [   99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\r\n\r\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\r\n\r\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.(CVE-2024-26870)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\r\n\r\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\r\n\r\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\r\n\r\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\r\n\r\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\r\n\r\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.(CVE-2024-26875)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nquota: Fix potential NULL pointer dereference\r\n\r\nBelow race may cause NULL pointer dereference\r\n\r\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t  drop_dquot_ref\n\t\t\t\t\t   remove_dquot_ref\n\t\t\t\t\t   dquots = i_dquot(inode)\n  dquots = i_dquot(inode)\n  srcu_read_lock\n  dquots[cnt]) != NULL (1)\n\t\t\t\t\t     dquots[type] = NULL (2)\n  spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n   ....\r\n\r\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\r\n\r\nSo let's fix it by using a temporary pointer to avoid this issue.(CVE-2024-26878)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\r\n\r\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\r\n\r\n    | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n    | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n    | arm-scmi firmware:scmi: unable to communicate with SCMI\n    | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n    | Mem abort info:\n    |   ESR = 0x0000000096000004\n    |   EC = 0x25: DABT (current EL), IL = 32 bits\n    |   SET = 0, FnV = 0\n    |   EA = 0, S1PTW = 0\n    |   FSC = 0x04: level 0 translation fault\n    | Data abort info:\n    |   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n    |   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    |   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n    | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n    | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n    | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n    | Modules linked in:\n    | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n    | Hardware name: FVP Base RevC (DT)\n    | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    | pc : smc_chan_free+0x3c/0x6c\n    | lr : smc_chan_free+0x3c/0x6c\n    | Call trace:\n    |  smc_chan_free+0x3c/0x6c\n    |  idr_for_each+0x68/0xf8\n    |  scmi_cleanup_channels.isra.0+0x2c/0x58\n    |  scmi_probe+0x434/0x734\n    |  platform_probe+0x68/0xd8\n    |  really_probe+0x110/0x27c\n    |  __driver_probe_device+0x78/0x12c\n    |  driver_probe_device+0x3c/0x118\n    |  __driver_attach+0x74/0x128\n    |  bus_for_each_dev+0x78/0xe0\n    |  driver_attach+0x24/0x30\n    |  bus_add_driver+0xe4/0x1e8\n    |  driver_register+0x60/0x128\n    |  __platform_driver_register+0x28/0x34\n    |  scmi_driver_init+0x84/0xc0\n    |  do_one_initcall+0x78/0x33c\n    |  kernel_init_freeable+0x2b8/0x51c\n    |  kernel_init+0x24/0x130\n    |  ret_from_fork+0x10/0x20\n    | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n    | ---[ end trace 0000000000000000 ]---\r\n\r\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\r\n\r\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.(CVE-2024-26893)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)",
+    "cves": [
+      {
+        "id": "CVE-2024-26811",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811",
+        "severity": "High"
+      },
+      {
+        "id": "CVE-2024-26898",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1269": {
+    "id": "openEuler-SA-2023-1269",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1269",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.(CVE-2023-25652)\r\n\r\nIn Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\\mingw64\\share\\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\\` (and since `C:\\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.\r\n\r\nThis vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\\`.(CVE-2023-25815)\r\n\r\nGit is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.(CVE-2023-29007)",
+    "cves": [
+      {
+        "id": "CVE-2023-29007",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29007",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1103": {
+    "id": "openEuler-SA-2023-1103",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1103",
+    "title": "An update for tar is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.(CVE-2022-48303)",
+    "cves": [
+      {
+        "id": "CVE-2022-48303",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1046": {
+    "id": "openEuler-SA-2023-1046",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1046",
+    "title": "An update for pkgconf is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "pkgconf is a program which helps to configure compiler and linker flags for development frameworks. It is similar to pkg-config from freedesktop.org, providing additional functionality while also maintaining compatibility.\r\n\r\nSecurity Fix(es):\r\n\r\nIn pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.(CVE-2023-24056)",
+    "cves": [
+      {
+        "id": "CVE-2023-24056",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24056",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1667": {
+    "id": "openEuler-SA-2023-1667",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1667",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.(CVE-2022-45887)\r\n\r\n\nA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n(CVE-2023-20588)\r\n\r\nIn multiple functions  of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.\r\n\r\n(CVE-2023-21400)\r\n\r\n** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team.(CVE-2023-4881)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.\r\n\r\nWhen the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().\r\n\r\nWe recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.\r\n\r\n(CVE-2023-4921)",
+    "cves": [
+      {
+        "id": "CVE-2023-4921",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4921",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1558": {
+    "id": "openEuler-SA-2023-1558",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1558",
+    "title": "An update for clamav is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Clam AntiVirus (clamav) is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. he virus database is based on the virus database from OpenAntiVirus, but contains additional signatures and is KEPT UP TO DATE.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.\r\n\r For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197)",
+    "cves": [
+      {
+        "id": "CVE-2023-20197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1420": {
+    "id": "openEuler-SA-2021-1420",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1420",
+    "title": "An update for rubygem-excon is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "EXtended http(s) CONnections.\r\n\r\nSecurity Fix(es):\r\n\r\nIn RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.(CVE-2019-16779)",
+    "cves": [
+      {
+        "id": "CVE-2019-16779",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16779",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1731": {
+    "id": "openEuler-SA-2024-1731",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1731",
+    "title": "An update for microcode_ctl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nHardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.(CVE-2023-45733)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-45745)\r\n\r\nSequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-46103)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-47855)",
+    "cves": [
+      {
+        "id": "CVE-2023-47855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47855",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1053": {
+    "id": "openEuler-SA-2024-1053",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1053",
+    "title": "An update for python-pycryptodomex is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "PyCryptodome is a self-contained Python package of low-level cryptographic primitives.\r\n\r\nSecurity Fix(es):\r\n\r\nPyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.(CVE-2023-52323)",
+    "cves": [
+      {
+        "id": "CVE-2023-52323",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52323",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1936": {
+    "id": "openEuler-SA-2022-1936",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1936",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly.(CVE-2022-36109)",
+    "cves": [
+      {
+        "id": "CVE-2022-36109",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36109",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1125": {
+    "id": "openEuler-SA-2023-1125",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1125",
+    "title": "An update for curl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file gets overwritten by the most recently completed transfer. This issue may result in limited confidentiality and integrity.(CVE-2023-23915)\r\n\r\nA flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried. This issue may result in limited confidentiality and integrity.(CVE-2023-23914)\r\n\r\ncurl supports \"chained\" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a \"malloc bomb\", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.(CVE-2023-23916)",
+    "cves": [
+      {
+        "id": "CVE-2023-23916",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23916",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1853": {
+    "id": "openEuler-SA-2023-1853",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1853",
+    "title": "An update for gdb is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.(CVE-2023-39129)",
+    "cves": [
+      {
+        "id": "CVE-2023-39129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1861": {
+    "id": "openEuler-SA-2024-1861",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1861",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\r\n\r\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.(CVE-2023-52755)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\r\n\r\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.(CVE-2024-34027)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\r\n\r\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\r\n\r\nTest script:\r\n\r\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\r\n\r\nTest result:\r\n\r\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n <TASK>\n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\r\n\r\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\r\n\r\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t  if (!dev->nullb)\n\t\t\t\t  // still set while gendisk is deleted\n\t\t\t\t   return 0\n\t\t\t\t  blk_mq_update_nr_hw_queues\n dev->nullb = NULL\r\n\r\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.(CVE-2024-36478)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\r\n\r\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\r\n\r\nFix it in the one caller that had this combination.\r\n\r\nThe undefined behavior was detected by UBSAN:\n  UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n  shift exponent 64 is too large for 64-bit type 'long unsigned int'\n  CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n  Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x5d/0x80\n   ubsan_epilogue+0x5/0x30\n   __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n   __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n   bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n   bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n   bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __kmalloc+0x1b6/0x4f0\n   ? create_qp.part.0+0x128/0x1c0 [ib_core]\n   ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n   create_qp.part.0+0x128/0x1c0 [ib_core]\n   ib_create_qp_kernel+0x50/0xd0 [ib_core]\n   create_mad_qp+0x8e/0xe0 [ib_core]\n   ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n   ib_mad_init_device+0x2be/0x680 [ib_core]\n   add_client_context+0x10d/0x1a0 [ib_core]\n   enable_device_and_get+0xe0/0x1d0 [ib_core]\n   ib_register_device+0x53c/0x630 [ib_core]\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n   ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n   auxiliary_bus_probe+0x49/0x80\n   ? driver_sysfs_add+0x57/0xc0\n   really_probe+0xde/0x340\n   ? pm_runtime_barrier+0x54/0x90\n   ? __pfx___driver_attach+0x10/0x10\n   __driver_probe_device+0x78/0x110\n   driver_probe_device+0x1f/0xa0\n   __driver_attach+0xba/0x1c0\n   bus_for_each_dev+0x8f/0xe0\n   bus_add_driver+0x146/0x220\n   driver_register+0x72/0xd0\n   __auxiliary_driver_register+0x6e/0xd0\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n   ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n   do_one_initcall+0x5b/0x310\n   do_init_module+0x90/0x250\n   init_module_from_file+0x86/0xc0\n   idempotent_init_module+0x121/0x2b0\n   __x64_sys_finit_module+0x5e/0xb0\n   do_syscall_64+0x82/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode_prepare+0x149/0x170\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? syscall_exit_to_user_mode+0x75/0x230\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_syscall_64+0x8e/0x160\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? __count_memcg_events+0x69/0x100\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? count_memcg_events.constprop.0+0x1a/0x30\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? handle_mm_fault+0x1f0/0x300\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? do_user_addr_fault+0x34e/0x640\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f4e5132821d\n  Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n  RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n  RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n  RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n  RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n  R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n  R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n   </TASK>\n  ---[ end trace ]---(CVE-2024-38540)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\r\n\r\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\r\n\r\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc.  Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\r\n\r\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\r\n\r\nIt is an 'ipv6.nd' field.  However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\r\n\r\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\r\n\r\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\r\n\r\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine.  Executing memset() only for actual ND packets to\navoid the issue.\r\n\r\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\r\n\r\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngfs2: Fix potential glock use-after-free on unmount\r\n\r\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically.  Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace.  This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\r\n\r\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\r\n\r\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.(CVE-2024-38570)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\r\n\r\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\r\n\r\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\r\n\r\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.(CVE-2024-38586)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: core: Fix NULL module pointer assignment at card init\r\n\r\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'.  This works in most cases, but the devils are always in\ndetails.  \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not.  Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL.  This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\r\n\r\nFor addressing the bug, move the assignment of card->module again out\nof ifdef.  The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\r\n\r\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check.  Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y.  But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.(CVE-2024-38605)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: fix potential memory leak in vfio_intx_enable()\r\n\r\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nkdb: Fix buffer overflow during tab-complete\r\n\r\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\r\n\r\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\r\n\r\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\r\n\r\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\r\n\r\nFix it by adding a check of string length before using it.(CVE-2024-39487)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\r\n\r\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\r\n\r\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tsigned int      file_disp;\t// 4 bytes\n\t\tunsigned short  line;\t\t// 2 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t}\r\n\r\n... with 12 bytes total, requiring 4-byte alignment.\r\n\r\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\r\n\r\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\r\n\r\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\r\n\r\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\r\n\r\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\r\n\r\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\r\n\r\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\r\n\r\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\r\n\r\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\r\n\r\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\r\n\r\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\r\n\r\nConsequently module_find_bug() will miss the last bug_entry when it does:\r\n\r\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\r\n\r\n... which can lead to a kenrel panic due to an unhandled bug.\r\n\r\nThis can be demonstrated with the following module:\r\n\r\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\r\n\r\n\tstatic void __exit bugexit(void)\n\t{\n\t}\r\n\r\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\r\n\r\n... which will trigger a kernel panic when loaded:\r\n\r\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G           O       6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: sr: fix memleak in seg6_hmac_init_algo\r\n\r\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\r\n\r\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsock_map: avoid race between sock_map_close and sk_psock_put\r\n\r\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\r\n\r\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\r\n\r\nThat will trigger the WARN_ON_ONCE:\r\n\r\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS:  000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\r\n\r\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\r\n\r\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\r\n\r\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.(CVE-2024-39500)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nionic: fix use after netif_napi_del()\r\n\r\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\r\n\r\nReproducer:\n   ethtool -L <interface name> rx 1 tx 1 combined 0\n   ethtool -L <interface name> rx 0 tx 0 combined 1\n   ethtool -L <interface name> rx 0 tx 0 combined 4\r\n\r\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS:  0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30(CVE-2024-39502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure snd_una is properly initialized on connect\r\n\r\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\r\n\r\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.(CVE-2024-40931)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\r\n\r\nFix a memory leak on logi_dj_recv_send_report() error path.(CVE-2024-40934)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: remove clear SB_INLINECRYPT flag in default_options\r\n\r\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\r\n\r\nThread A:                               Thread B:\r\n\r\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n  -default_options\n\t<- clear SB_INLINECRYPT flag\r\n\r\n                                          -fscrypt_select_encryption_impl\r\n\r\n  -parse_options\n\t<- set SB_INLINECRYPT again(CVE-2024-40971)",
+    "cves": [
+      {
+        "id": "CVE-2024-40971",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1089": {
+    "id": "openEuler-SA-2024-1089",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1089",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)\r\n\r\nA flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004)",
+    "cves": [
+      {
+        "id": "CVE-2023-6004",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6004",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1045": {
+    "id": "openEuler-SA-2023-1045",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1045",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. This package Provides python version 3.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.(CVE-2022-37454)",
+    "cves": [
+      {
+        "id": "CVE-2022-37454",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1799": {
+    "id": "openEuler-SA-2023-1799",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1799",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.(CVE-2023-37453)\r\n\r\nAn issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.(CVE-2023-46813)\r\n\r\nAn issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.(CVE-2023-46862)\r\n\r\nA use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges.(CVE-2023-5178)",
+    "cves": [
+      {
+        "id": "CVE-2023-5178",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1531": {
+    "id": "openEuler-SA-2022-1531",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1531",
+    "title": "An update for grafana is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Metrics dashboard and graph editor.\r\n\r\nSecurity Fix(es):\r\n\r\nGrafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.(CVE-2022-21673)",
+    "cves": [
+      {
+        "id": "CVE-2022-21673",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21673",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1563": {
+    "id": "openEuler-SA-2022-1563",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1563",
+    "title": "An update for xterm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "It is a terminal emulator for the X Window System.\r\n\r\nSecurity Fix(es):\r\n\r\nxterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.(CVE-2022-24130)",
+    "cves": [
+      {
+        "id": "CVE-2022-24130",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24130",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1364": {
+    "id": "openEuler-SA-2024-1364",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1364",
+    "title": "An update for rubygem-activestorage is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Attach cloud and local files in Rails applications.\r\n\r\nSecurity Fix(es):\r\n\r\nRails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.(CVE-2024-26144)",
+    "cves": [
+      {
+        "id": "CVE-2024-26144",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26144",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1609": {
+    "id": "openEuler-SA-2023-1609",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1609",
+    "title": "An update for hyperscan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Hyperscan is a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API.\r\n\r\nSecurity Fix(es):\r\n\r\nInsufficient control flow management in the Hyperscan Library maintained by Intel(R) before version 5.4.1 may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-28711)",
+    "cves": [
+      {
+        "id": "CVE-2023-28711",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28711",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1707": {
+    "id": "openEuler-SA-2024-1707",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1707",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\r\n\r\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\r\n\r\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260]  dump_stack+0xbb/0x107\n [23827.477906]  print_address_description.constprop.0+0x18/0x140\n [23827.478896]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905]  kasan_report.cold+0x7c/0xd8\n [23827.481701]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744]  kasan_check_range+0x145/0x1a0\n [23827.493112]  mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054]  ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296]  mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338]  ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486]  ? read_word_at_a_time+0xe/0x20\n [23827.498250]  ? strscpy+0xa0/0x2a0\n [23827.498889]  process_one_work+0x8ac/0x14e0\n [23827.499638]  ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359]  ? rwlock_bug.part.0+0x90/0x90\n [23827.502116]  worker_thread+0x53b/0x1220\n [23827.502831]  ? process_one_work+0x14e0/0x14e0\n [23827.503627]  kthread+0x328/0x3f0\n [23827.504254]  ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065]  ? __kthread_bind_mask+0x90/0x90\n [23827.505912]  ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694]  kasan_save_stack+0x1b/0x40\n [23827.508476]  __kasan_kmalloc+0x7c/0x90\n [23827.509197]  mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194]  mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218]  __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234]  mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298]  tc_setup_cb_add+0x1d5/0x420\n [23827.514023]  fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975]  fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821]  tc_new_tfilter+0x89a/0x2070\n [23827.516548]  rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300]  netlink_rcv_skb+0x11d/0x340\n [23827.518021]  netlink_unicast+0x42b/0x700\n [23827.518742]  netlink_sendmsg+0x743/0xc20\n [23827.519467]  sock_sendmsg+0xb2/0xe0\n [23827.520131]  ____sys_sendmsg+0x590/0x770\n [23827.520851]  ___sys_sendmsg+0xd8/0x160\n [23827.521552]  __sys_sendmsg+0xb7/0x140\n [23827.522238]  do_syscall_64+0x3a/0x70\n [23827.522907]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780]  kasan_save_stack+0x1b/0x40\n [23827.525488]  kasan_set_track+0x1c/0x30\n [23827.526187]  kasan_set_free_info+0x20/0x30\n [23827.526968]  __kasan_slab_free+0xed/0x130\n [23827.527709]  slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528]  kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317]  kfree_rcu_work+0x55f/0xb70\n [23827.530024]  process_one_work+0x8ac/0x14e0\n [23827.530770]  worker_thread+0x53b/0x1220\n [23827.531480]  kthread+0x328/0x3f0\n [23827.532114]  ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007]  kasan_save_stack+0x1b/0x40\n [23827.534710]  kasan_record_aux_stack+0xab/0xc0\n [23827.535492]  kvfree_call_rcu+0x31/0x7b0\n [23827.536206]  mlx5e_tc_del\n---truncated---(CVE-2021-47247)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocteontx2-af: Fix possible null pointer dereference.\r\n\r\nThis patch fixes possible null pointer dereference in files\n\"rvu_debugfs.c\" and \"rvu_nix.c\"(CVE-2021-47484)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: stmmac: Disable Tx queues when reconfiguring the interface\r\n\r\nThe Tx queues were not disabled in situations where the driver needed to\nstop the interface to apply a new configuration. This could result in a\nkernel panic when doing any of the 3 following actions:\n* reconfiguring the number of queues (ethtool -L)\n* reconfiguring the size of the ring buffers (ethtool -G)\n* installing/removing an XDP program (ip l set dev ethX xdp)\r\n\r\nPrevent the panic by making sure netif_tx_disable is called when stopping\nan interface.\r\n\r\nWithout this patch, the following kernel panic can be observed when doing\nany of the actions above:\r\n\r\nUnable to handle kernel paging request at virtual address ffff80001238d040\n[....]\n Call trace:\n  dwmac4_set_addr+0x8/0x10\n  dev_hard_start_xmit+0xe4/0x1ac\n  sch_direct_xmit+0xe8/0x39c\n  __dev_queue_xmit+0x3ec/0xaf0\n  dev_queue_xmit+0x14/0x20\n[...]\n[ end trace 0000000000000002 ]---(CVE-2021-47558)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nice: Fix crash by keep old cfg when update TCs more than queues\r\n\r\nThere are problems if allocated queues less than Traffic Classes.\r\n\r\nCommit a632b2a4c920 (\"ice: ethtool: Prohibit improper channel config\nfor DCB\") already disallow setting less queues than TCs.\r\n\r\nAnother case is if we first set less queues, and later update more TCs\nconfig due to LLDP, ice_vsi_cfg_tc() will failed but left dirty\nnum_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.\r\n\r\n[   95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.\n[   95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!\n[   95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0\n[   95.969621] general protection fault: 0000 [#1] SMP NOPTI\n[   95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G     U  W  O     --------- -t - 4.18.0 #1\n[   95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021\n[   95.969992] RIP: 0010:devm_kmalloc+0xa/0x60\n[   95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c\n[   95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206\n[   95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0\n[   95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200\n[   95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000\n[   95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100\n[   95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460\n[   95.970981] FS:  00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000\n[   95.971108] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0\n[   95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[   95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[   95.971530] PKRU: 55555554\n[   95.971573] Call Trace:\n[   95.971622]  ice_setup_rx_ring+0x39/0x110 [ice]\n[   95.971695]  ice_vsi_setup_rx_rings+0x54/0x90 [ice]\n[   95.971774]  ice_vsi_open+0x25/0x120 [ice]\n[   95.971843]  ice_open_internal+0xb8/0x1f0 [ice]\n[   95.971919]  ice_ena_vsi+0x4f/0xd0 [ice]\n[   95.971987]  ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]\n[   95.972082]  ice_pf_dcb_cfg+0x29a/0x380 [ice]\n[   95.972154]  ice_dcbnl_setets+0x174/0x1b0 [ice]\n[   95.972220]  dcbnl_ieee_set+0x89/0x230\n[   95.972279]  ? dcbnl_ieee_del+0x150/0x150\n[   95.972341]  dcb_doit+0x124/0x1b0\n[   95.972392]  rtnetlink_rcv_msg+0x243/0x2f0\n[   95.972457]  ? dcb_doit+0x14d/0x1b0\n[   95.972510]  ? __kmalloc_node_track_caller+0x1d3/0x280\n[   95.972591]  ? rtnl_calcit.isra.31+0x100/0x100\n[   95.972661]  netlink_rcv_skb+0xcf/0xf0\n[   95.972720]  netlink_unicast+0x16d/0x220\n[   95.972781]  netlink_sendmsg+0x2ba/0x3a0\n[   95.975891]  sock_sendmsg+0x4c/0x50\n[   95.979032]  ___sys_sendmsg+0x2e4/0x300\n[   95.982147]  ? kmem_cache_alloc+0x13e/0x190\n[   95.985242]  ? __wake_up_common_lock+0x79/0x90\n[   95.988338]  ? __check_object_size+0xac/0x1b0\n[   95.991440]  ? _copy_to_user+0x22/0x30\n[   95.994539]  ? move_addr_to_user+0xbb/0xd0\n[   95.997619]  ? __sys_sendmsg+0x53/0x80\n[   96.000664]  __sys_sendmsg+0x53/0x80\n[   96.003747]  do_syscall_64+0x5b/0x1d0\n[   96.006862]  entry_SYSCALL_64_after_hwframe+0x65/0xca\r\n\r\nOnly update num_txq/rxq when passed check, and restore tc_cfg if setup\nqueue map failed.(CVE-2022-48652)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npipe: wakeup wr_wait after setting max_usage\r\n\r\nCommit c73be61cede5 (\"pipe: Add general notification queue support\") a\nregression was introduced that would lock up resized pipes under certain\nconditions. See the reproducer in [1].\r\n\r\nThe commit resizing the pipe ring size was moved to a different\nfunction, doing that moved the wakeup for pipe->wr_wait before actually\nraising pipe->max_usage. If a pipe was full before the resize occured it\nwould result in the wakeup never actually triggering pipe_write.\r\n\r\nSet @max_usage and @nr_accounted before waking writers if this isn't a\nwatch queue.\r\n\r\n[Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues](CVE-2023-52672)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: scarlett2: Add missing error checks to *_ctl_get()\r\n\r\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.(CVE-2023-52680)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc/powernv: Add a null pointer check in opal_event_init()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52686)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nACPI: video: check for error while searching for backlight device parent\r\n\r\nIf acpi_get_parent() called in acpi_video_dev_register_backlight()\nfails, for example, because acpi_ut_acquire_mutex() fails inside\nacpi_get_parent), this can lead to incorrect (uninitialized)\nacpi_parent handle being passed to acpi_get_pci_dev() for detecting\nthe parent pci device.\r\n\r\nCheck acpi_get_parent() result and set parent device only in case of success.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2023-52693)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nceph: blocklist the kclient when receiving corrupted snap trace\r\n\r\nWhen received corrupted snap trace we don't know what exactly has\nhappened in MDS side. And we shouldn't continue IOs and metadatas\naccess to MDS, which may corrupt or get incorrect contents.\r\n\r\nThis patch will just block all the further IO/MDS requests\nimmediately and then evict the kclient itself.\r\n\r\nThe reason why we still need to evict the kclient just after\nblocking all the further IOs is that the MDS could revoke the caps\nfaster.(CVE-2023-52732)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvirtio-blk: fix implicit overflow on virtio_max_dma_size\r\n\r\nThe following codes have an implicit conversion from size_t to u32:\n(u32)max_size = (size_t)virtio_max_dma_size(vdev);\r\n\r\nThis may lead overflow, Ex (size_t)4G -> (u32)0. Once\nvirtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX\ninstead.(CVE-2023-52762)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/smc: avoid data corruption caused by decline\r\n\r\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\r\n\r\nThe benchmark has a low probability of reporting a strange error as\nshown below.\r\n\r\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\r\n\r\nFinally, we found that the retrieved error data was as follows:\r\n\r\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\r\n\r\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\r\n\r\nclient                  server\n        ¦  clc proposal\n        ------------->\n        ¦  clc accept\n        <-------------\n        ¦  clc confirm\n        ------------->\nwait llc confirm\n\t\t\tsend llc confirm\n        ¦failed llc confirm\n        ¦   x------\n(after 2s)timeout\n                        wait llc confirm rsp\r\n\r\nwait decline\r\n\r\n(after 1s) timeout\n                        (after 2s) timeout\n        ¦   decline\n        -------------->\n        ¦   decline\n        <--------------\r\n\r\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\r\n\r\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\r\n\r\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution.(CVE-2023-52775)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\r\n\r\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\r\n\r\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\r\n\r\nThis error can be catched by KASAN:\n=========================================================\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[  250.500549] Workqueue: events rpc_free_client_work\n[  250.501001] Call Trace:\n[  250.502880]  kasan_report+0xb6/0xf0\n[  250.503209]  ? dget_parent+0x195/0x200\n[  250.503561]  dget_parent+0x195/0x200\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\n[  250.505195]  rpc_free_client_work+0xe4/0x230\n[  250.505598]  process_one_work+0x8ee/0x13b0\n...\n[   22.039056] Allocated by task 244:\n[   22.039390]  kasan_save_stack+0x22/0x50\n[   22.039758]  kasan_set_track+0x25/0x30\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\n[   22.040889]  __d_alloc+0x31/0x8e0\n[   22.041207]  d_alloc+0x44/0x1f0\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\n[   22.042459]  rpc_create_client_dir+0x34/0x150\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\n[   22.043284]  rpc_client_register+0x136/0x4e0\n[   22.043689]  rpc_new_client+0x911/0x1020\n[   22.044057]  rpc_create_xprt+0xcb/0x370\n[   22.044417]  rpc_create+0x36b/0x6c0\n...\n[   22.049524] Freed by task 0:\n[   22.049803]  kasan_save_stack+0x22/0x50\n[   22.050165]  kasan_set_track+0x25/0x30\n[   22.050520]  kasan_save_free_info+0x2b/0x50\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\n[   22.051306]  kmem_cache_free+0xa5/0x390\n[   22.051667]  rcu_core+0x62c/0x1930\n[   22.051995]  __do_softirq+0x165/0x52a\n[   22.052347]\n[   22.052503] Last potentially related work creation:\n[   22.052952]  kasan_save_stack+0x22/0x50\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\n[   22.054209]  dentry_free+0xb2/0x140\n[   22.054540]  __dentry_kill+0x3be/0x540\n[   22.054900]  shrink_dentry_list+0x199/0x510\n[   22.055293]  shrink_dcache_parent+0x190/0x240\n[   22.055703]  do_one_tree+0x11/0x40\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\n[   22.056461]  generic_shutdown_super+0x70/0x590\n[   22.056879]  kill_anon_super+0x3a/0x60\n[   22.057234]  rpc_kill_sb+0x121/0x200(CVE-2023-52803)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/jfs: Add check for negative db_l2nbperpage\r\n\r\nl2nbperpage is log2(number of blks per page), and the minimum legal\nvalue should be 0, not negative.\r\n\r\nIn the case of l2nbperpage being negative, an error will occur\nwhen subsequently used as shift exponent.\r\n\r\nSyzbot reported this bug:\r\n\r\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12\nshift exponent -16777216 is negative(CVE-2023-52810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\r\n\r\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\r\n\r\nRequire initial namespace CAP_NET_ADMIN to do that.(CVE-2023-52880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: do not accept ACK of bytes we never sent\r\n\r\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\r\n\r\nACK seq validation is currently following RFC 5961 5.2 guidelines:\r\n\r\n   The ACK value is considered acceptable only if\n   it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=\n   SND.NXT).  All incoming segments whose ACK value doesn't satisfy the\n   above condition MUST be discarded and an ACK sent back.  It needs to\n   be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n   duplicate (SEG.ACK < SND.UNA), it can be ignored.  If the ACK\n   acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an\n   ACK, drop the segment, and return\".  The \"ignored\" above implies that\n   the processing of the incoming data segment continues, which means\n   the ACK value is treated as acceptable.  This mitigation makes the\n   ACK check more stringent since any ACK < SND.UNA wouldn't be\n   accepted, instead only ACKs that are in the range ((SND.UNA -\n   MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.\r\n\r\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\r\n\r\nThis greatly improves TCP security at a little cost.\r\n\r\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the 'blamed' patch was adhering to the RFC.\r\n\r\ntp->bytes_acked was added in linux-4.2\r\n\r\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\r\n\r\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\r\n\r\n// ---------------- Handshake ------------------- //\r\n\r\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\r\n\r\n+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>\n+0 > S. 0:0(0) ack 1 <...>\n+0 < . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\r\n\r\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\r\n\r\n// Oops, old kernels happily accept this packet.\n+0 < . 1:1001(1000) ack 3221241997 win 65535\r\n\r\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 > . 1:1(0) ack 1001(CVE-2023-52881)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: set dormant flag on hook register failure\r\n\r\nWe need to set the dormant flag again if we fail to register\nthe hooks.\r\n\r\nDuring memory pressure hook registration can fail and we end up\nwith a table marked as active but no registered hooks.\r\n\r\nOn table/base chain deletion, nf_tables will attempt to unregister\nthe hook again which yields a warn splat from the nftables core.(CVE-2024-26835)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: hci_core: Fix possible buffer overflow\r\n\r\nstruct hci_dev_info has a fixed size name[8] field so in the event that\nhdev->name is bigger than that strcpy would attempt to write past its\nsize, so this fixes this problem by switching to use strscpy.(CVE-2024-26889)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxen-netfront: Add missing skb_mark_for_recycle\r\n\r\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\r\n\r\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\r\n\r\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").(CVE-2024-27393)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphonet/pep: fix racy skb_queue_empty() use\r\n\r\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.(CVE-2024-27402)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\r\n\r\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.(CVE-2024-27408)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\r\n\r\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\r\n\r\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.(CVE-2024-35790)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nPCI/PM: Drain runtime-idle callbacks before driver removal\r\n\r\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\r\n\r\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that.  It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\r\n\r\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete.  In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\r\n\r\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync().  [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\r\n\r\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point.  A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.(CVE-2024-35809)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\r\n\r\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\r\n\r\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\r\n\r\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\r\n\r\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\r\n\r\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\r\n\r\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\r\n\r\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\r\n\r\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free](CVE-2024-35811)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\r\n\r\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\r\n\r\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\r\n\r\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\r\n\r\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\r\n\r\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\r\n\r\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G        W          6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n <TASK>\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n </TASK>(CVE-2024-35853)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\r\n\r\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\r\n\r\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\r\n\r\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\r\n\r\nFix by not destroying the region if migration failed.\r\n\r\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\r\n\r\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G        W          6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n </TASK>\r\n\r\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\r\n\r\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30(CVE-2024-35854)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nriscv: process: Fix kernel gp leakage\r\n\r\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\r\n\r\n[From the email thread]\r\n\r\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\r\n\r\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\r\n\r\n1. kernel_execve does not currently clear integer registers, so the starting\n   register state for PID 1 and other user processes started by the kernel has\n   sp = user stack, gp = kernel __global_pointer$, all other integer registers\n   zeroed by the memset in the patch comment.\r\n\r\n   This is a bug in its own right, but I'm unwilling to bet that it is the only\n   way to exploit the issue addressed by this patch.\r\n\r\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n   before it execs, but ptrace requires SIGSTOP to be delivered which can only\n   happen at user/kernel boundaries.\r\n\r\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n   user_mode_helpers before the exec completes, but gp is not one of the\n   registers it returns.\r\n\r\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n   addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n   are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n   LOCKDOWN_PERF. I have not attempted to write exploit code.\r\n\r\n5. Much of the tracing infrastructure allows access to user registers. I have\n   not attempted to determine which forms of tracing allow access to user\n   registers without already allowing access to kernel registers.(CVE-2024-35871)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nerspan: make sure erspan_base_hdr is present in skb->head\r\n\r\nsyzbot reported a problem in ip6erspan_rcv() [1]\r\n\r\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\r\n\r\nAdd the missing pskb_may_pull() calls.\r\n\r\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n    because skb->head might have changed.\r\n\r\n[1]\r\n\r\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n  pskb_may_pull include/linux/skbuff.h:2756 [inline]\n  ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n  gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n  ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n  dst_input include/net/dst.h:460 [inline]\n  ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n  __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n  netif_receive_skb_internal net/core/dev.c:5738 [inline]\n  netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n  tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  tun_alloc_skb drivers/net/tun.c:1525 [inline]\n  tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n  call_write_iter include/linux/fs.h:2108 [inline]\n  new_sync_write fs/read_write.c:497 [inline]\n  vfs_write+0xb63/0x1520 fs/read_write.c:590\n  ksys_write+0x20f/0x4c0 fs/read_write.c:643\n  __do_sys_write fs/read_write.c:655 [inline]\n  __se_sys_write fs/read_write.c:652 [inline]\n  __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0(CVE-2024-35888)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\r\n\r\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\r\n\r\n       CPU0                    CPU1\n       ----                    ----\n  lock(&htab->buckets[i].lock);\n                               local_irq_disable();\n                               lock(&host->lock);\n                               lock(&htab->buckets[i].lock);\n  <Interrupt>\n    lock(&host->lock);\r\n\r\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\r\n\r\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\r\n\r\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.(CVE-2024-35895)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: validate user input for expected length\r\n\r\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\r\n\r\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\r\n\r\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\r\n\r\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n  copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n  copy_from_sockptr include/linux/sockptr.h:55 [inline]\n  do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n  do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n  nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n  do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n </TASK>\r\n\r\nAllocated by task 7238:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n  kasan_kmalloc include/linux/kasan.h:211 [inline]\n  __do_kmalloc_node mm/slub.c:4069 [inline]\n  __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n  kmalloc_noprof include/linux/slab.h:664 [inline]\n  __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n  do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n  __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n  __do_sys_setsockopt net/socket.c:2343 [inline]\n  __se_sys_setsockopt net/socket.c:2340 [inline]\n  __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\r\n\r\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\r\n\r\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---(CVE-2024-35896)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Protect against int overflow for stack access size\r\n\r\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\r\n\r\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.(CVE-2024-35905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: typec: ucsi: Limit read size on v1.2\r\n\r\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.(CVE-2024-35924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: SCO: Fix not validating setsockopt user input\r\n\r\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\r\n\r\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578(CVE-2024-35967)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngeneve: fix header validation in geneve[6]_xmit_skb\r\n\r\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\r\n\r\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\r\n\r\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\r\n\r\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\r\n\r\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\r\n\r\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\r\n\r\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\r\n\r\nv2,v3 - Addressed Sabrina comments on v1 and v2\r\n\r\n[1]\r\n\r\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024(CVE-2024-35973)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbatman-adv: Avoid infinite loop trying to resize local TT\r\n\r\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\r\n\r\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\r\n\r\n   batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\r\n\r\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\r\n\r\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\r\n\r\nWhile this should be handled proactively when:\r\n\r\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n  attached interfaces)\r\n\r\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.(CVE-2024-35982)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: smbus: fix NULL function pointer dereference\r\n\r\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\r\n\r\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions](CVE-2024-35984)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\r\n\r\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.(CVE-2024-36017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmmc: sdhci-msm: pervent access to suspended controller\r\n\r\nGeneric sdhci code registers LED device and uses host->runtime_suspended\nflag to protect access to it. The sdhci-msm driver doesn't set this flag,\nwhich causes a crash when LED is accessed while controller is runtime\nsuspended. Fix this by setting the flag correctly.(CVE-2024-36029)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix out-of-bounds access in ops_init\r\n\r\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\r\n\r\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\r\n\r\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.(CVE-2024-36883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix UAF in error path\r\n\r\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\r\n\r\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\r\n\r\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n <IRQ>\n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---(CVE-2024-36886)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: ensure snd_nxt is properly initialized on connect\r\n\r\nChristoph reported a splat hinting at a corrupted snd_una:\r\n\r\n  WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Modules linked in:\n  CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n  Workqueue: events mptcp_worker\n  RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n  \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n  \t<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n  RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n  RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n  RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n  R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n  FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n  Call Trace:\n   <TASK>\n   __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n   mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n   __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n   mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n   process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n   process_scheduled_works kernel/workqueue.c:3335 [inline]\n   worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n   kthread+0x121/0x170 kernel/kthread.c:388\n   ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n   </TASK>\r\n\r\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using 'bad' snd_una values.\r\n\r\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\r\n\r\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time.(CVE-2024-36889)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: fix uninitialised kfifo\r\n\r\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked.  This results in events being written to and read from an\nuninitialised kfifo.  Read events are returned to userspace.\r\n\r\nInitialise the kfifo in the case where the software debounce is\nalready active.(CVE-2024-36898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\r\n\r\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\r\n\r\nHere is the typical stack when issue happened:\r\n\r\n[free]\ngpio_chrdev_release()\n  --> bitmap_free(cdev->watched_lines)                  <-- freed\n  --> blocking_notifier_chain_unregister()\n    --> down_write(&nh->rwsem)                          <-- waiting rwsem\n          --> __down_write_common()\n            --> rwsem_down_write_slowpath()\n                  --> schedule_preempt_disabled()\n                    --> schedule()\r\n\r\n[use]\nst54spi_gpio_dev_release()\n  --> gpio_free()\n    --> gpiod_free()\n      --> gpiod_free_commit()\n        --> gpiod_line_state_notify()\n          --> blocking_notifier_call_chain()\n            --> down_read(&nh->rwsem);                  <-- held rwsem\n            --> notifier_call_chain()\n              --> lineinfo_changed_notify()\n                --> test_bit(xxxx, cdev->watched_lines) <-- use after free\r\n\r\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\r\n\r\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.(CVE-2024-36899)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: prevent NULL dereference in ip6_output()\r\n\r\nAccording to syzbot, there is a chance that ip6_dst_idev()\nreturns NULL in ip6_output(). Most places in IPv6 stack\ndeal with a NULL idev just fine, but not here.\r\n\r\nsyzbot reported:\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237\nCode: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff\nRSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000\nRDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48\nRBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad\nR10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0\nR13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000\nFS:  00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  NF_HOOK include/linux/netfilter.h:314 [inline]\n  ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358\n  sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248\n  sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653\n  sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783\n  sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]\n  sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212\n  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n  sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169\n  sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73\n  __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36901)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\r\n\r\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\r\n\r\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\r\n\r\n[1]\r\n\r\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS:  00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n  fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n  ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n  ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n  ip6_route_output include/net/ip6_route.h:93 [inline]\n  ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n  ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n  sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n  sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n  sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n  sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n  __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix potential uninit-value access in __ip6_make_skb()\r\n\r\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.(CVE-2024-36903)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9381/1: kasan: clear stale stack poison\r\n\r\nWe found below OOB crash:\r\n\r\n[   33.452494] ==================================================================\n[   33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[   33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0\n[   33.455515]\n[   33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O       6.1.25-mainline #1\n[   33.456880] Hardware name: Generic DT based system\n[   33.457555]  unwind_backtrace from show_stack+0x18/0x1c\n[   33.458326]  show_stack from dump_stack_lvl+0x40/0x4c\n[   33.459072]  dump_stack_lvl from print_report+0x158/0x4a4\n[   33.459863]  print_report from kasan_report+0x9c/0x148\n[   33.460616]  kasan_report from kasan_check_range+0x94/0x1a0\n[   33.461424]  kasan_check_range from memset+0x20/0x3c\n[   33.462157]  memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec\n[   33.463064]  refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c\n[   33.464181]  tick_nohz_idle_stop_tick from do_idle+0x264/0x354\n[   33.465029]  do_idle from cpu_startup_entry+0x20/0x24\n[   33.465769]  cpu_startup_entry from rest_init+0xf0/0xf4\n[   33.466528]  rest_init from arch_post_acpi_subsys_init+0x0/0x18\n[   33.467397]\n[   33.467644] The buggy address belongs to stack of task swapper/0/0\n[   33.468493]  and is located at offset 112 in frame:\n[   33.469172]  refresh_cpu_vm_stats.constprop.0+0x0/0x2ec\n[   33.469917]\n[   33.470165] This frame has 2 objects:\n[   33.470696]  [32, 76) 'global_zone_diff'\n[   33.470729]  [112, 276) 'global_node_diff'\n[   33.471294]\n[   33.472095] The buggy address belongs to the physical page:\n[   33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03\n[   33.473944] flags: 0x1000(reserved|zone=0)\n[   33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001\n[   33.475656] raw: 00000000\n[   33.476050] page dumped because: kasan: bad access detected\n[   33.476816]\n[   33.477061] Memory state around the buggy address:\n[   33.477732]  c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   33.478630]  c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00\n[   33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1\n[   33.480415]                                                ^\n[   33.481195]  c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3\n[   33.482088]  c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n[   33.482978] ==================================================================\r\n\r\nWe find the root cause of this OOB is that arm does not clear stale stack\npoison in the case of cpuidle.\r\n\r\nThis patch refer to arch/arm64/kernel/sleep.S to resolve this issue.\r\n\r\nFrom cited commit [1] that explain the problem\r\n\r\nFunctions which the compiler has instrumented for KASAN place poison on\nthe stack shadow upon entry and remove this poison prior to returning.\r\n\r\nIn the case of cpuidle, CPUs exit the kernel a number of levels deep in\nC code.  Any instrumented functions on this critical path will leave\nportions of the stack shadow poisoned.\r\n\r\nIf CPUs lose context and return to the kernel via a cold path, we\nrestore a prior context saved in __cpu_suspend_enter are forgotten, and\nwe never remove the poison they placed in the stack shadow area by\nfunctions calls between this and the actual exit of the kernel.\r\n\r\nThus, (depending on stackframe layout) subsequent calls to instrumented\nfunctions may hit this stale poison, resulting in (spurious) KASAN\nsplats to the console.\r\n\r\nTo avoid this, clear any stale poison from the idle thread for a CPU\nprior to bringing a CPU online.\r\n\r\nFrom cited commit [2]\r\n\r\nExtend to check for CONFIG_KASAN_STACK\r\n\r\n[1] commit 0d97e6d8024c (\"arm64: kasan: clear stale stack poison\")\n[2] commit d56a9ef84bd0 (\"kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK\")(CVE-2024-36906)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblk-iocost: do not WARN if iocg was already offlined\r\n\r\nIn iocg_pay_debt(), warn is triggered if 'active_list' is empty, which\nis intended to confirm iocg is active when it has debt. However, warn\ncan be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn()\nis run at that time:\r\n\r\n  WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190\n  Call trace:\n  iocg_pay_debt+0x14c/0x190\n  iocg_kick_waitq+0x438/0x4c0\n  iocg_waitq_timer_fn+0xd8/0x130\n  __run_hrtimer+0x144/0x45c\n  __hrtimer_run_queues+0x16c/0x244\n  hrtimer_interrupt+0x2cc/0x7b0\r\n\r\nThe warn in this situation is meaningless. Since this iocg is being\nremoved, the state of the 'active_list' is irrelevant, and 'waitq_timer'\nis canceled after removing 'active_list' in ioc_pd_free(), which ensures\niocg is freed after iocg_waitq_timer_fn() returns.\r\n\r\nTherefore, add the check if iocg was already offlined to avoid warn\nwhen removing a blkcg or disk.(CVE-2024-36908)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: fix overflow in blk_ioctl_discard()\r\n\r\nThere is no check for overflow of 'start + len' in blk_ioctl_discard().\nHung task occurs if submit an discard ioctl with the following param:\n  start = 0x80000000000ff000, len = 0x8000000000fff000;\nAdd the overflow validation now.(CVE-2024-36917)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\r\n\r\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock.  Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.(CVE-2024-36924)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/qeth: Fix kernel panic after setting hsuid\r\n\r\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\r\n\r\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754]            00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756]            000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758]            00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000                illegal\n                         >0000000000000002: 0000                illegal\n                          0000000000000004: 0000                illegal\n                          0000000000000006: 0000                illegal\n                          0000000000000008: 0000                illegal\n                          000000000000000a: 0000                illegal\n                          000000000000000c: 0000                illegal\n                          000000000000000e: 0000                illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803]  [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809]  [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813]  [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822]  [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825]  [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827]  [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830]  [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833]  [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835]  [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839]  [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841]  [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844]  [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\r\n\r\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\r\n\r\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\r\n\r\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---(CVE-2024-36928)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\r\n\r\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.(CVE-2024-36929)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\namd/amdkfd: sync all devices to wait all processes being evicted\r\n\r\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.(CVE-2024-36949)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntipc: fix a possible memleak in tipc_buf_append\r\n\r\n__skb_linearize() doesn't free the skb when it fails, so move\n'*buf = NULL' after __skb_linearize(), so that the skb can be\nfreed on the err path.(CVE-2024-36954)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocteontx2-af: avoid off-by-one read from userspace\r\n\r\nWe try to access count + 1 byte from userspace with memdup_user(buffer,\ncount + 1). However, the userspace only provides buffer of count bytes and\nonly these count bytes are verified to be okay to access. To ensure the\ncopied buffer is NUL terminated, we use memdup_user_nul instead.(CVE-2024-36957)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/9p: only translate RWX permissions for plain 9P2000\r\n\r\nGarbage in plain 9P2000's perm bits is allowed through, which causes it\nto be able to set (among others) the suid bit. This was presumably not\nthe intent since the unix extended bits are handled explicitly and\nconditionally on .u.(CVE-2024-36964)",
+    "cves": [
+      {
+        "id": "CVE-2024-36917",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36917",
+        "severity": "Medium"
+      },
+      {
+        "id": "CVE-2024-36964",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36964",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1583": {
+    "id": "openEuler-SA-2023-1583",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1583",
+    "title": "An update for busybox is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. It provides a fairly complete environment for any small or embedded system.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.(CVE-2022-48174)",
+    "cves": [
+      {
+        "id": "CVE-2022-48174",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1355": {
+    "id": "openEuler-SA-2023-1355",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1355",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)",
+    "cves": [
+      {
+        "id": "CVE-2023-2650",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1288": {
+    "id": "openEuler-SA-2021-1288",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1288",
+    "title": "An update for optipng is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nOff-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.(CVE-2016-3982)\r\n\r\nHeap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.(CVE-2016-3981)",
+    "cves": [
+      {
+        "id": "CVE-2016-3981",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3981",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2056": {
+    "id": "openEuler-SA-2022-2056",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2056",
+    "title": "An update for three-eight-nine-ds-base is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.(CVE-2020-35518)",
+    "cves": [
+      {
+        "id": "CVE-2020-35518",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35518",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2081": {
+    "id": "openEuler-SA-2022-2081",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2081",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in libxml2. Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow because safety checks were missing in some functions. Also, the xmlParseEntityValue function didn't have any length limitation.(CVE-2022-40303)\r\n\r\nA flaw was found in libxml2. When a reference cycle is detected in the XML entity cleanup function the XML entity data can be stored in a dictionary. In this case, the dictionary becomes corrupted resulting in logic errors, including memory errors like double free.(CVE-2022-40304)",
+    "cves": [
+      {
+        "id": "CVE-2022-40304",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1728": {
+    "id": "openEuler-SA-2023-1728",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1728",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct.(CVE-2020-36766)\r\n\r\nAn array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.(CVE-2023-42753)",
+    "cves": [
+      {
+        "id": "CVE-2023-42753",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42753",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1601": {
+    "id": "openEuler-SA-2023-1601",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1601",
+    "title": "An update for openjdk-latest is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)",
+    "cves": [
+      {
+        "id": "CVE-2023-22045",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22045",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1463": {
+    "id": "openEuler-SA-2021-1463",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1463",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is a highly configurable text editor for efficiently creating and changing any kind of text.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow.(CVE-2021-4019)\r\n\r\nvim is vulnerable to Use After Free.(CVE-2021-4069)",
+    "cves": [
+      {
+        "id": "CVE-2021-4069",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4069",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1138": {
+    "id": "openEuler-SA-2021-1138",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1138",
+    "title": "An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This is the reference implementation of JSR-349 - Bean Validation 1.1. Bean Validation defines a meta-data model and API for JavaBean as well as method validation. The default meta-data source are annotations, with the ability to override and extend the meta-data through the use of XML validation descriptors.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.(CVE-2020-10693)",
+    "cves": [
+      {
+        "id": "CVE-2020-10693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10693",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1423": {
+    "id": "openEuler-SA-2021-1423",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1423",
+    "title": "An update for netty is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package    help Summary:          Documents for  Buildarch:        noarch Requires:         man info Provides:         -javadoc = - Obsoletes:        -javadoc < - %description help Man pages and other related documents for .\r\n\r\nSecurity Fix(es):\r\n\r\nThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.(CVE-2021-37137)\r\n\r\nThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack(CVE-2021-37136)",
+    "cves": [
+      {
+        "id": "CVE-2021-37136",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1165": {
+    "id": "openEuler-SA-2024-1165",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1165",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680)",
+    "cves": [
+      {
+        "id": "CVE-2024-24680",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1311": {
+    "id": "openEuler-SA-2021-1311",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1311",
+    "title": "An update for mysql is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).(CVE-2021-2340)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).(CVE-2021-2356)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2339)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Federated). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2354)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2352)\r\n\r\nVulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).(CVE-2021-2357)",
+    "cves": [
+      {
+        "id": "CVE-2021-2357",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2357",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1436": {
+    "id": "openEuler-SA-2021-1436",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1436",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "Vim is a highly configurable text editor for efficiently creating and changing any kind of text.\r\n\r\nSecurity Fix(es):\r\n\r\nvim is vulnerable to Stack-based Buffer Overflow(CVE-2021-3928)\r\n\r\nvim is vulnerable to Heap-based Buffer Overflow(CVE-2021-3927)",
+    "cves": [
+      {
+        "id": "CVE-2021-3927",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3927",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1763": {
+    "id": "openEuler-SA-2024-1763",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1763",
+    "title": "An update for rubygem-activesupport is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1779": {
+    "id": "openEuler-SA-2022-1779",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1779",
+    "title": "An update for linux-firmware is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This package contains firmware images required by some devices.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper buffer restriction in some Intel(R) Wireless Bluetooth(R) products before version 21.110 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.(CVE-2020-12321)",
+    "cves": [
+      {
+        "id": "CVE-2020-12321",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12321",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1417": {
+    "id": "openEuler-SA-2024-1417",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1417",
+    "title": "An update for docker is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Docker is an open source project to build, ship and run any application as a lightweight container.\r\n\r\nSecurity Fix(es):\r\n\r\nMoby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\r\n\r\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\r\n\r\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\r\n\r\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\r\n\r\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\r\n\r\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\r\n\r\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\r\n\r\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\r\n\r\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\r\n\r\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.(CVE-2024-29018)",
+    "cves": [
+      {
+        "id": "CVE-2024-29018",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29018",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1779": {
+    "id": "openEuler-SA-2024-1779",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1779",
+    "title": "An update for rubygem-actionpack is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1719": {
+    "id": "openEuler-SA-2023-1719",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1719",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nIn FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto(CVE-2020-15103)",
+    "cves": [
+      {
+        "id": "CVE-2020-15103",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15103",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1361": {
+    "id": "openEuler-SA-2023-1361",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1361",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel before 6.2. The ntfs3 subsystem does not properly check for correctness during disk reads, leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.(CVE-2022-48502)",
+    "cves": [
+      {
+        "id": "CVE-2022-48502",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48502",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1258": {
+    "id": "openEuler-SA-2021-1258",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1258",
+    "title": "An update for rubygem-bundler is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably.\r\n\r\nSecurity Fix(es):\r\n\r\nBundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every Dependency Confusion issue in every product.(CVE-2020-36327)",
+    "cves": [
+      {
+        "id": "CVE-2020-36327",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36327",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2152": {
+    "id": "openEuler-SA-2022-2152",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2152",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21626)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21624)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21619)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21618)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21628)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-39399)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2022-21271)",
+    "cves": [
+      {
+        "id": "CVE-2022-21271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21271",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1723": {
+    "id": "openEuler-SA-2022-1723",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1723",
+    "title": "An update for giflib is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.(CVE-2022-28506)",
+    "cves": [
+      {
+        "id": "CVE-2022-28506",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28506",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2040": {
+    "id": "openEuler-SA-2022-2040",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2040",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "CURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request.(CVE-2022-32221)",
+    "cves": [
+      {
+        "id": "CVE-2022-32221",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1311": {
+    "id": "openEuler-SA-2024-1311",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1311",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019)\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.(CVE-2023-6683)\r\n\r\nA stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.(CVE-2023-6693)",
+    "cves": [
+      {
+        "id": "CVE-2023-6693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1242": {
+    "id": "openEuler-SA-2021-1242",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1242",
+    "title": "An update for binutils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The GNU Binutils are a collection of binary tools.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.(CVE-2021-3549)",
+    "cves": [
+      {
+        "id": "CVE-2021-3549",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1848": {
+    "id": "openEuler-SA-2023-1848",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1848",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and  22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22081)",
+    "cves": [
+      {
+        "id": "CVE-2023-22081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22081",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1823": {
+    "id": "openEuler-SA-2024-1823",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1823",
+    "title": "An update for rubygem-rack is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers,  web frameworks, and software in between (the so-called middleware) into  a single method call.\r\n\r\nSecurity Fix(es):\r\n\r\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\r\n\r\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
+    "cves": [
+      {
+        "id": "CVE-2024-26141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1856": {
+    "id": "openEuler-SA-2024-1856",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1856",
+    "title": "An update for httpd is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\r\n\r\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\r\n\r\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\r\n\r\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
+    "cves": [
+      {
+        "id": "CVE-2024-38477",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1838": {
+    "id": "openEuler-SA-2022-1838",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1838",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn rcu_cblist_dequeue of rcu_segcblist.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222091980References: Upstream kernel(CVE-2022-20153)",
+    "cves": [
+      {
+        "id": "CVE-2022-20153",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20153",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1977": {
+    "id": "openEuler-SA-2022-1977",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1977",
+    "title": "An update for bcel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Byte Code Engineering Library (formerly known as JavaClass) is intended to give users a convenient possibility to analyze, create, and manipulate (binary) Java class files (those ending with .class).\r\n\r\nSecurity Fix(es):\r\n\r\nThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.(CVE-2022-34169)",
+    "cves": [
+      {
+        "id": "CVE-2022-34169",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1057": {
+    "id": "openEuler-SA-2024-1057",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1057",
+    "title": "An update for espeak-ng is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The eSpeak NG is a compact open source software text-to-speech synthesizer for Linux, Windows, Android and other operating systems. It supports 70 languages and accents. It is based on the eSpeak engine created by Jonathan Duddington.\r\n\r\nSecurity Fix(es):\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a buffer-overflow via the function SetUpPhonemeTable at synthdata.c.(CVE-2023-49990)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow via the function CountVowelPosition at synthdata.c.(CVE-2023-49991)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow via the function RemoveEnding at dictionary.c.(CVE-2023-49992)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the function ReadClause at readclause.c.(CVE-2023-49993)\r\n\r\nEspeak-ng 1.52-dev was discovered to contain a Floating Point Exception via the function PeaksToHarmspect at wavegen.c.(CVE-2023-49994)",
+    "cves": [
+      {
+        "id": "CVE-2023-49994",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49994",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1518": {
+    "id": "openEuler-SA-2024-1518",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1518",
+    "title": "An update for perl-Mojolicious is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Back in the early days of the web there was this wonderful Perl library called CGI, many people only learned Perl because of it. It was simple enough to get started without knowing much about the language and powerful enough to keep you going, learning by doing was much fun. While most of the techniques used are outdated now, the idea behind it is not. Mojolicious is a new attempt at implementing this idea using state of the art technology.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Mojolicious module before 8.65 for Perl is vulnerable to secure_compare timing attacks that allow an attacker to guess the length of a secret string. Only versions after 1.74 are affected.(CVE-2020-36829)\r\n\r\nThe Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service.(CVE-2021-47208)",
+    "cves": [
+      {
+        "id": "CVE-2021-47208",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47208",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1443": {
+    "id": "openEuler-SA-2024-1443",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1443",
+    "title": "An update for libgsasl is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The library includes support for the SASL framework and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, and NTLM mechanisms.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469)",
+    "cves": [
+      {
+        "id": "CVE-2022-2469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1060": {
+    "id": "openEuler-SA-2024-1060",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1060",
+    "title": "An update for libssh is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1623": {
+    "id": "openEuler-SA-2023-1623",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1623",
+    "title": "An update for php is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. \r\n\r\n(CVE-2023-3247)\r\n\r\nIn PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. \r\n\r\n(CVE-2023-3823)\r\n\r\nIn PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \r\n\r\n(CVE-2023-3824)",
+    "cves": [
+      {
+        "id": "CVE-2023-3824",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3824",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1132": {
+    "id": "openEuler-SA-2021-1132",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1132",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.  Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet. Packet capture can provide a network administrator with information about individual packets such as transmit time, source, destination, protocol type and header data. This information can be useful for evaluating security events and troubleshooting network security device issues.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.(CVE-2020-9431)\r\n\r\nIn Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the EAP dissector could crash. This was addressed in epan/dissectors/packet-eap.c by using more careful sscanf parsing.(CVE-2020-9428)\r\n\r\nIn Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that an object identifier is set to NULL after a ContentInfo dissection.(CVE-2019-19553)\r\n\r\nIn Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash. This was addressed in epan/asn1.c by properly restricting buffer increments.(CVE-2019-13619)",
+    "cves": [
+      {
+        "id": "CVE-2019-13619",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13619",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1801": {
+    "id": "openEuler-SA-2023-1801",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1801",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability classified as critical has been found in rhboot shim up to 15.7 on ARM. This affects the function mirror_one_esl of the file mok.c of the component mok. Applying the patch 66e6579dbf921152f647a0c16da1d3b2f40861ca is able to eliminate this problem. The bugfix is ready for download at github.com.(CVE-2023-40546)",
+    "cves": [
+      {
+        "id": "CVE-2023-40546",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40546",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1376": {
+    "id": "openEuler-SA-2021-1376",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1376",
+    "title": "An update for libEMF is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "libEMF is designed to be used as a driver for other programs such as Grace and gunplot to generate Enhanced Metafiles on systems which don't natively support the ECMA-234 Graphics Device Interface (GDI). It implements a limited subset of GDI.\r\n\r\nSecurity Fix(es):\r\n\r\nScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 Metafile Library) 1.0.12 allows an integer overflow and denial of service via a crafted EMF file.(CVE-2020-13999)\r\n\r\nlibEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).(CVE-2020-11863)\r\n\r\nlibEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access.(CVE-2020-11865)\r\n\r\nlibEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free.(CVE-2020-11866)\r\n\r\nlibEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 2 of 2).(CVE-2020-11864)",
+    "cves": [
+      {
+        "id": "CVE-2020-11864",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11864",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1341": {
+    "id": "openEuler-SA-2021-1341",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1341",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Routing decision classifier in the Linux kernel s Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is confidentiality, integrity, as well as system availability.(CVE-2021-3715)",
+    "cves": [
+      {
+        "id": "CVE-2021-3715",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3715",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1244": {
+    "id": "openEuler-SA-2023-1244",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1244",
+    "title": "An update for tcpdump is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces.  Tcpdump can display all of the packet headers, or just the ones that match particular criteria.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a crafted network packet.(CVE-2023-1801)",
+    "cves": [
+      {
+        "id": "CVE-2023-1801",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1801",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1050": {
+    "id": "openEuler-SA-2023-1050",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1050",
+    "title": "An update for batik is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup,  that lets you write your template directly as a CoffeeScript function.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.(CVE-2022-41704)\r\n\r\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.(CVE-2022-42890)",
+    "cves": [
+      {
+        "id": "CVE-2022-42890",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1405": {
+    "id": "openEuler-SA-2024-1405",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1405",
+    "title": "An update for mozjs78 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "SpiderMonkey is the code-name for Mozilla Firefox's C++ implementation of JavaScript. It is intended to be embedded in other applications that provide host environments for JavaScript.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23599)\r\n\r\nNavigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23601)",
+    "cves": [
+      {
+        "id": "CVE-2023-23601",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23601",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1532": {
+    "id": "openEuler-SA-2022-1532",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1532",
+    "title": "An update for cryptsetup is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "cryptsetup is a utility used to conveniently set up disk encryption based on the DMCrypt kernel module.\r\n\r\nSecurity Fix(es):\r\n\r\nIt was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.(CVE-2021-4122)",
+    "cves": [
+      {
+        "id": "CVE-2021-4122",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4122",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1184": {
+    "id": "openEuler-SA-2021-1184",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1184",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nencoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.(CVE-2021-27918)",
+    "cves": [
+      {
+        "id": "CVE-2021-27918",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2010": {
+    "id": "openEuler-SA-2022-2010",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2010",
+    "title": "An update for protobuf is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.(CVE-2022-1941)\r\n\r\nA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171)",
+    "cves": [
+      {
+        "id": "CVE-2022-3171",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1612": {
+    "id": "openEuler-SA-2022-1612",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1612",
+    "title": "An update for openvpn is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "OpenVPN can be extended through the --plugin option, which provides possibilities to add specialized authentication, user accounting, packet filtering and related features. These plug-ins need to be written in C and provides a more low-level and information rich access to similar features as the various script-hooks.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.(CVE-2022-0547)",
+    "cves": [
+      {
+        "id": "CVE-2022-0547",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0547",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1052": {
+    "id": "openEuler-SA-2021-1052",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1052",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.(CVE-2020-27216)",
+    "cves": [
+      {
+        "id": "CVE-2020-27216",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27216",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1794": {
+    "id": "openEuler-SA-2024-1794",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1794",
+    "title": "An update for kernel is now available for openEuler-24.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nclk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change\r\n\r\nWhile PLL CPUX clock rate change when CPU is running from it works in\nvast majority of cases, now and then it causes instability. This leads\nto system crashes and other undefined behaviour. After a lot of testing\n(30+ hours) while also doing a lot of frequency switches, we can't\nobserve any instability issues anymore when doing reparenting to stable\nclock like 24 MHz oscillator.(CVE-2023-52882)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: uvc: use correct buffer size when parsing configfs lists\r\n\r\nThis commit fixes uvc gadget support on 32-bit platforms.\r\n\r\nCommit 0df28607c5cb (\"usb: gadget: uvc: Generalise helper functions for\nreuse\") introduced a helper function __uvcg_iter_item_entries() to aid\nwith parsing lists of items on configfs attributes stores. This function\nis a generalization of another very similar function, which used a\nstack-allocated temporary buffer of fixed size for each item in the list\nand used the sizeof() operator to check for potential buffer overruns.\nThe new function was changed to allocate the now variably sized temp\nbuffer on heap, but wasn't properly updated to also check for max buffer\nsize using the computed size instead of sizeof() operator.\r\n\r\nAs a result, the maximum item size was 7 (plus null terminator) on\n64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just\nbarely enough, 3 is definitely too small for some of UVC configfs\nattributes. For example, dwFrameInteval, specified in 100ns units,\nusually has 6-digit item values, e.g. 166666 for 60fps.(CVE-2024-36895)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfirewire: ohci: mask bus reset interrupts between ISR and bottom half\r\n\r\nIn the FireWire OHCI interrupt handler, if a bus reset interrupt has\noccurred, mask bus reset interrupts until bus_reset_work has serviced and\ncleared the interrupt.\r\n\r\nNormally, we always leave bus reset interrupts masked. We infer the bus\nreset from the self-ID interrupt that happens shortly thereafter. A\nscenario where we unmask bus reset interrupts was introduced in 2008 in\na007bb857e0b26f5d8b73c2ff90782d9c0972620: If\nOHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we\nwill unmask bus reset interrupts so we can log them.\r\n\r\nirq_handler logs the bus reset interrupt. However, we can't clear the bus\nreset event flag in irq_handler, because we won't service the event until\nlater. irq_handler exits with the event flag still set. If the\ncorresponding interrupt is still unmasked, the first bus reset will\nusually freeze the system due to irq_handler being called again each\ntime it exits. This freeze can be reproduced by loading firewire_ohci\nwith \"modprobe firewire_ohci debug=-1\" (to enable all debugging output).\nApparently there are also some cases where bus_reset_work will get called\nsoon enough to clear the event, and operation will continue normally.\r\n\r\nThis freeze was first reported a few months after a007bb85 was committed,\nbut until now it was never fixed. The debug level could safely be set\nto -1 through sysfs after the module was loaded, but this would be\nineffectual in logging bus reset interrupts since they were only\nunmasked during initialization.\r\n\r\nirq_handler will now leave the event flag set but mask bus reset\ninterrupts, so irq_handler won't be called again and there will be no\nfreeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will\nunmask the interrupt after servicing the event, so future interrupts\nwill be caught as desired.\r\n\r\nAs a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be\nenabled through sysfs in addition to during initial module loading.\nHowever, when enabled through sysfs, logging of bus reset interrupts will\nbe effective only starting with the second bus reset, after\nbus_reset_work has executed.(CVE-2024-36950)",
+    "cves": [
+      {
+        "id": "CVE-2024-36950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36950",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1297": {
+    "id": "openEuler-SA-2024-1297",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1297",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix use after free on context disconnection\r\n\r\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.(CVE-2023-52445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmtd: Fix gluebi NULL pointer dereference caused by ftl notifier\r\n\r\nIf both ftl.ko and gluebi.ko are loaded, the notifier of ftl\ntriggers NULL pointer dereference when trying to access\n‘gluebi->desc’ in gluebi_read().\r\n\r\nubi_gluebi_init\n  ubi_register_volume_notifier\n    ubi_enumerate_volumes\n      ubi_notify_all\n        gluebi_notify    nb->notifier_call()\n          gluebi_create\n            mtd_device_register\n              mtd_device_parse_register\n                add_mtd_device\n                  blktrans_notify_add   not->add()\n                    ftl_add_mtd         tr->add_mtd()\n                      scan_header\n                        mtd_read\n                          mtd_read_oob\n                            mtd_read_oob_std\n                              gluebi_read   mtd->read()\n                                gluebi->desc - NULL\r\n\r\nDetailed reproduction information available at the Link [1],\r\n\r\nIn the normal case, obtain gluebi->desc in the gluebi_get_device(),\nand access gluebi->desc in the gluebi_read(). However,\ngluebi_get_device() is not executed in advance in the\nftl_add_mtd() process, which leads to NULL pointer dereference.\r\n\r\nThe solution for the gluebi module is to run jffs2 on the UBI\nvolume without considering working with ftl or mtdblock [2].\nTherefore, this problem can be avoided by preventing gluebi from\ncreating the mtdblock device after creating mtd partition of the\ntype MTD_UBIVOLUME.(CVE-2023-52449)",
+    "cves": [
+      {
+        "id": "CVE-2023-52449",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52449",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1104": {
+    "id": "openEuler-SA-2021-1104",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1104",
+    "title": "An update for fontforge is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "Mozilla fontforge is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-25690)",
+    "cves": [
+      {
+        "id": "CVE-2020-25690",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25690",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1541": {
+    "id": "openEuler-SA-2024-1541",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1541",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npstore/ram: Fix crash when setting number of cpus to an odd number\r\n\r\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n    addr of zone0 = BASE\n    addr of zone1 = BASE + zone_size\n    addr of zone2 = BASE + zone_size*2\n    ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\r\n\r\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.(CVE-2023-52619)\r\n\r\nA race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24860)\r\n\r\ncreate_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.(CVE-2024-25739)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/bridge: sii902x: Fix probing race issue\r\n\r\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\r\n\r\n[   53.271356]  sii902x_get_edid+0x34/0x70 [sii902x]\n[   53.276066]  sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[   53.281381]  drm_bridge_get_edid+0x20/0x34 [drm]\n[   53.286305]  drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[   53.292955]  drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[   53.300510]  drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[   53.305958]  __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[   53.313611]  drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[   53.320039]  drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[   53.326401]  drm_client_register+0x5c/0xa0 [drm]\n[   53.331216]  drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[   53.336881]  tidss_probe+0x128/0x264 [tidss]\n[   53.341174]  platform_probe+0x68/0xc4\n[   53.344841]  really_probe+0x188/0x3c4\n[   53.348501]  __driver_probe_device+0x7c/0x16c\n[   53.352854]  driver_probe_device+0x3c/0x10c\n[   53.357033]  __device_attach_driver+0xbc/0x158\n[   53.361472]  bus_for_each_drv+0x88/0xe8\n[   53.365303]  __device_attach+0xa0/0x1b4\n[   53.369135]  device_initial_probe+0x14/0x20\n[   53.373314]  bus_probe_device+0xb0/0xb4\n[   53.377145]  deferred_probe_work_func+0xcc/0x124\n[   53.381757]  process_one_work+0x1f0/0x518\n[   53.385770]  worker_thread+0x1e8/0x3dc\n[   53.389519]  kthread+0x11c/0x120\n[   53.392750]  ret_from_fork+0x10/0x20\r\n\r\nThe issue here is as follows:\r\n\r\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n  DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n  platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n  deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n  called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n  However, the sii902x driver has not set up the i2c part yet, leading\n  to the crash.\r\n\r\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().(CVE-2024-26607)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: make sure init the accept_queue's spinlocks once\r\n\r\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS:  00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n<IRQ>\n  _raw_spin_unlock (kernel/locking/spinlock.c:186)\n  inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\n  inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\n  tcp_check_req (net/ipv4/tcp_minisocks.c:868)\n  tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:234)\n  __netif_receive_skb_one_core (net/core/dev.c:5529)\n  process_backlog (./include/linux/rcupdate.h:779)\n  __napi_poll (net/core/dev.c:6533)\n  net_rx_action (net/core/dev.c:6604)\n  __do_softirq (./arch/x86/include/asm/jump_label.h:27)\n  do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n</IRQ>\n<TASK>\n  __local_bh_enable_ip (kernel/softirq.c:381)\n  __dev_queue_xmit (net/core/dev.c:4374)\n  ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n  __ip_queue_xmit (net/ipv4/ip_output.c:535)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\n  tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\n  tcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\n  tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n  __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\n  release_sock (net/core/sock.c:3536)\n  inet_wait_for_connect (net/ipv4/af_inet.c:609)\n  __inet_stream_connect (net/ipv4/af_inet.c:702)\n  inet_stream_connect (net/ipv4/af_inet.c:748)\n  __sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n  __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\n  do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n  RIP: 0033:0x7fa10ff05a3d\n  Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\n  c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\n  RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\n  RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\n  RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\n  RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\n  R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n</TASK>\r\n\r\nThe issue triggering process is analyzed as follows:\nThread A                                       Thread B\ntcp_v4_rcv\t//receive ack TCP packet       inet_shutdown\n  tcp_check_req                                  tcp_disconnect //disconnect sock\n  ...                                              tcp_set_state(sk, TCP_CLOSE)\n    inet_csk_complete_hashdance                ...\n      inet_csk_reqsk_queue_add         \n---truncated---(CVE-2024-26614)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\r\n\r\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\r\n\r\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---(CVE-2024-26633)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\r\n\r\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\r\n\r\n  BTRFS: Transaction aborted (error -2)\n  WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n  Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n  CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n  RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n  RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n  RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n  RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n  RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n  R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n  R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n  FS:  00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n  Call Trace:\n   <TASK>\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? __warn+0x81/0x130\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? report_bug+0x171/0x1a0\n   ? handle_bug+0x3a/0x70\n   ? exc_invalid_op+0x17/0x70\n   ? asm_exc_invalid_op+0x1a/0x20\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n   create_pending_snapshots+0x92/0xc0 [btrfs]\n   btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n   btrfs_mksubvol+0x301/0x4d0 [btrfs]\n   btrfs_mksnapshot+0x80/0xb0 [btrfs]\n   __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n   btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n   btrfs_ioctl+0x8a6/0x2650 [btrfs]\n   ? kmem_cache_free+0x22/0x340\n   ? do_sys_openat2+0x97/0xe0\n   __x64_sys_ioctl+0x97/0xd0\n   do_syscall_64+0x46/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n  RIP: 0033:0x7fe20abe83af\n  RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n  RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n  BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n  BTRFS info (device vdc: state EA): forced readonly\n  BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n  BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\r\n\r\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\r\n\r\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion.(CVE-2024-26644)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\r\n\r\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\r\n\r\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\r\n\r\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\r\n\r\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\r\n\r\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\r\n\r\nCall trace:\n[  654.559417] task:modprobe        state:D stack:    0 pid: 2321 ppid:  1091 flags:0x00004002\n[  654.568030] Call Trace:\n[  654.571221]  <TASK>\n[  654.573790]  __schedule+0x2d6/0x960\n[  654.577733]  schedule+0x69/0xf0\n[  654.581214]  schedule_timeout+0x87/0x140\n[  654.585463]  ? __bpf_trace_tick_stop+0x20/0x20\n[  654.590291]  msleep+0x2d/0x40\n[  654.593625]  napi_disable+0x2b/0x80\n[  654.597437]  netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[  654.603935]  rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[  654.611101]  ? do_wait_intr+0xb0/0xb0\n[  654.615753]  netvsc_remove+0x7c/0x120 [hv_netvsc]\n[  654.621675]  vmbus_remove+0x27/0x40 [hv_vmbus](CVE-2024-26698)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nafs: Increase buffer size in afs_update_volume_status()\r\n\r\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\r\n\r\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()](CVE-2024-26736)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: ep93xx: Add terminator to gpiod_lookup_table\r\n\r\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.(CVE-2024-26751)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\r\n\r\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\r\n\r\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\r\n\r\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.(CVE-2024-26764)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\r\n\r\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.(CVE-2024-26772)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\r\n\r\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\r\n\r\next4_mb_regular_allocator\n  ext4_lock_group(sb, group)\n  ext4_mb_good_group\n   // check if the group bbitmap is corrupted\n  ext4_mb_complex_scan_group\n   // Scan group gets ac_b_ex but doesn't use it\n  ext4_unlock_group(sb, group)\n                           ext4_mark_group_bitmap_corrupted(group)\n                           // The block bitmap was corrupted during\n                           // the group unlock gap.\n  ext4_mb_try_best_found\n    ext4_lock_group(ac->ac_sb, group)\n    ext4_mb_use_best_found\n      mb_mark_used\n      // Allocating blocks in block bitmap corrupted group(CVE-2024-26773)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: sis: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26777)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfbdev: savage: Error out if pixclock equals zero\r\n\r\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\r\n\r\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\r\n\r\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.(CVE-2024-26778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: fsl-qdma: init irq after reg initialization\r\n\r\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\r\n\r\n  Call trace:\n   fsl_qdma_queue_handler+0xf8/0x3e8\n   __handle_irq_event_percpu+0x78/0x2b0\n   handle_irq_event_percpu+0x1c/0x68\n   handle_irq_event+0x44/0x78\n   handle_fasteoi_irq+0xc8/0x178\n   generic_handle_irq+0x24/0x38\n   __handle_domain_irq+0x90/0x100\n   gic_handle_irq+0x5c/0xb8\n   el1_irq+0xb8/0x180\n   _raw_spin_unlock_irqrestore+0x14/0x40\n   __setup_irq+0x4bc/0x798\n   request_threaded_irq+0xd8/0x190\n   devm_request_threaded_irq+0x74/0xe8\n   fsl_qdma_probe+0x4d4/0xca8\n   platform_drv_probe+0x50/0xa0\n   really_probe+0xe0/0x3f8\n   driver_probe_device+0x64/0x130\n   device_driver_attach+0x6c/0x78\n   __driver_attach+0xbc/0x158\n   bus_for_each_dev+0x5c/0x98\n   driver_attach+0x20/0x28\n   bus_add_driver+0x158/0x220\n   driver_register+0x60/0x110\n   __platform_driver_register+0x44/0x50\n   fsl_qdma_driver_init+0x18/0x20\n   do_one_initcall+0x48/0x258\n   kernel_init_freeable+0x1a4/0x23c\n   kernel_init+0x10/0xf8\n   ret_from_fork+0x10/0x18(CVE-2024-26788)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Lock external INTx masking ops\r\n\r\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl.  Create wrappers that add locking for\npaths outside of the core interrupt code.\r\n\r\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate.  For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\r\n\r\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured.  A subsequent patch introduces synchronization for\nthe latter flows.(CVE-2024-26810)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix stackmap overflow check on 32-bit arches\r\n\r\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\r\n\r\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.(CVE-2024-26883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix hashtab overflow check on 32-bit arches\r\n\r\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.(CVE-2024-26884)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\r\n\r\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\r\n\r\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.(CVE-2024-26885)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\r\n\r\nThis patch is against CVE-2023-6270. The description of cve is:\r\n\r\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\r\n\r\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\r\n\r\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().(CVE-2024-26898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\r\n\r\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n  [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G           OE      6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS:  00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <TASK>\n  ? show_regs+0x72/0x90\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? __warn+0x8d/0x160\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  ? report_bug+0x1bb/0x1d0\n  ? handle_bug+0x46/0x90\n  ? exc_invalid_op+0x19/0x80\n  ? asm_exc_invalid_op+0x1b/0x20\n  ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n  mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n  ipoib_send+0x2ec/0x770 [ib_ipoib]\n  ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n  dev_hard_start_xmit+0x8e/0x1e0\n  ? validate_xmit_skb_list+0x4d/0x80\n  sch_direct_xmit+0x116/0x3a0\n  __dev_xmit_skb+0x1fd/0x580\n  __dev_queue_xmit+0x284/0x6b0\n  ? _raw_spin_unlock_irq+0xe/0x50\n  ? __flush_work.isra.0+0x20d/0x370\n  ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n  neigh_connected_output+0xcd/0x110\n  ip_finish_output2+0x179/0x480\n  ? __smp_call_single_queue+0x61/0xa0\n  __ip_finish_output+0xc3/0x190\n  ip_finish_output+0x2e/0xf0\n  ip_output+0x78/0x110\n  ? __pfx_ip_finish_output+0x10/0x10\n  ip_local_out+0x64/0x70\n  __ip_queue_xmit+0x18a/0x460\n  ip_queue_xmit+0x15/0x30\n  __tcp_transmit_skb+0x914/0x9c0\n  tcp_write_xmit+0x334/0x8d0\n  tcp_push_one+0x3c/0x60\n  tcp_sendmsg_locked+0x2e1/0xac0\n  tcp_sendmsg+0x2d/0x50\n  inet_sendmsg+0x43/0x90\n  sock_sendmsg+0x68/0x80\n  sock_write_iter+0x93/0x100\n  vfs_write+0x326/0x3c0\n  ksys_write+0xbd/0xf0\n  ? do_syscall_64+0x69/0x90\n  __x64_sys_write+0x19/0x30\n  do_syscall_\n---truncated---(CVE-2024-26907)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\r\n\r\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag.  This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\r\n\r\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.(CVE-2024-27437)",
+    "cves": [
+      {
+        "id": "CVE-2024-27437",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1202": {
+    "id": "openEuler-SA-2024-1202",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1202",
+    "title": "An update for rust is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "Rust is a systems programming language focused on three goals:safety, speed,and concurrency.It maintains these goals without having a garbage collector, making it a useful language for a number of use cases other languages are not good at: embedding in other languages, programs with specific space and time requirements,and writing low-level code, like device drivers and operating systems. It improves on current languages targeting this space by having a number of compile-time safety checks that produce no runtime overhead,while eliminating all data races.\r\n\r\nSecurity Fix(es):\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.(CVE-2024-24575)\r\n\r\nlibgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577)",
+    "cves": [
+      {
+        "id": "CVE-2024-24577",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1879": {
+    "id": "openEuler-SA-2024-1879",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1879",
+    "title": "An update for openssl is now available for openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\r\n\r\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\r\n\r\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\r\n\r\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\r\n\r\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\r\n\r\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\r\n\r\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\r\n\r\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.(CVE-2024-5535)",
+    "cves": [
+      {
+        "id": "CVE-2024-5535",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1731": {
+    "id": "openEuler-SA-2022-1731",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1731",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Over-read in GitHub repository vim/vim prior to 8.2.(CVE-2022-2124)",
+    "cves": [
+      {
+        "id": "CVE-2022-2124",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2124",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1129": {
+    "id": "openEuler-SA-2023-1129",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1129",
+    "title": "An update for less is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Less is a pager. A pager is a program that displays text files.Other pagers commonly in use are more and pg. Pagers are often used in command-line environments like the Unix shell and the MS-DOS command prompt to display files.Less is not an editor. You can't change the contents of the file you're viewing. Less is not a windowing system. It doesn't have fancy scroll bars or other GUI (graphical user interface) elements.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GNU Less before 609, crafted data can result in \"less -R\" not filtering ANSI escape sequences sent to the terminal.(CVE-2022-46663)",
+    "cves": [
+      {
+        "id": "CVE-2022-46663",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46663",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1792": {
+    "id": "openEuler-SA-2022-1792",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1792",
+    "title": "An update for python-ldap is now available for openEuler-20.03-LTS-SP1 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "python-ldap provides an object-oriented API for working with LDAP within Python programs.  It allows access to LDAP directory servers by wrapping the OpenLDAP 2.x libraries, and contains modules for other LDAP-related tasks (including processing LDIF, LDAPURLs, LDAPv3 schema, etc.).\r\n\r\nSecurity Fix(es):\r\n\r\npython-ldap before 3.4.0 is vulnerable to a denial of service when ldap.schema is used for untrusted schema definitions, because of a regular expression denial of service (ReDoS) flaw in the LDAP schema parser. By sending crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.(CVE-2021-46823)",
+    "cves": [
+      {
+        "id": "CVE-2021-46823",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46823",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1707": {
+    "id": "openEuler-SA-2022-1707",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1707",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\n\r\nHeap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.(CVE-2022-1886)\n\r\nBuffer Over-read in GitHub repository vim/vim prior to 8.2.(CVE-2022-1927)",
+    "cves": [
+      {
+        "id": "CVE-2022-1886",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1886",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1947": {
+    "id": "openEuler-SA-2022-1947",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1947",
+    "title": "An update for lapack is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "LAPACK (Linear Algebra PACKage) is a standard library for numerical linear algebra. LAPACK provides routines for solving systems of simultaneous linear equations, least-squares solutions of linear systems of equations, eigenvalue problems, and singular value problems. Associated matrix factorizations (LU, Cholesky, QR, SVD,Schur, and generalized Schur) and related computations (i.e.,reordering of Schur factorizations and estimating condition numbers)are also included. LAPACK can handle dense and banded matrices, but not general sparse matrices. Similar functionality is provided for real and complex matrices in both single and double precision. LAPACK is coded in Fortran90 and built with gcc.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.(CVE-2021-4048)",
+    "cves": [
+      {
+        "id": "CVE-2021-4048",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4048",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1130": {
+    "id": "openEuler-SA-2023-1130",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1130",
+    "title": "An update for rubygem-activesupport is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.\r\n\r\nSecurity Fix(es):\r\n\r\nA regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.(CVE-2023-22796)",
+    "cves": [
+      {
+        "id": "CVE-2023-22796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22796",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1399": {
+    "id": "openEuler-SA-2024-1399",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1399",
+    "title": "An update for rubygem-tzinfo is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "TZInfo provides daylight savings aware transformations between times in different time zones.\r\n\r\nSecurity Fix(es):\r\n\r\nTZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\\A[A-Za-z0-9+\\-_]+(?:\\/[A-Za-z0-9+\\-_]+)*\\z`.(CVE-2022-31163)",
+    "cves": [
+      {
+        "id": "CVE-2022-31163",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31163",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1629": {
+    "id": "openEuler-SA-2022-1629",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1629",
+    "title": "An update for gzip is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "gzip is a single-file/stream lossless data compression utility, where the resulting compressed file generally has the suffix .gz.\r\n\r\nSecurity Fix(es):\r\n\r\nThe vulnerability exists due to insufficient validation when handling filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system. The vulnerability allows a remote attacker to compromise an affected system.(CVE-2022-1271)",
+    "cves": [
+      {
+        "id": "CVE-2022-1271",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1322": {
+    "id": "openEuler-SA-2024-1322",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1322",
+    "title": "An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\r\n\r\nSecurity Fix(es):\r\n\r\naiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-27305)",
+    "cves": [
+      {
+        "id": "CVE-2024-27305",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27305",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1597": {
+    "id": "openEuler-SA-2023-1597",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1597",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nAn XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.(CVE-2022-48565)",
+    "cves": [
+      {
+        "id": "CVE-2022-48565",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1874": {
+    "id": "openEuler-SA-2023-1874",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1874",
+    "title": "An update for vim is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Low",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nVim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48231)\r\n\r\nVim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48233)\r\n\r\nVim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48234)\r\n\r\nVim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48235)\r\n\r\nVim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48236)\r\n\r\nVim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48237)\r\n\r\nVim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.(CVE-2023-48706)",
+    "cves": [
+      {
+        "id": "CVE-2023-48706",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2055": {
+    "id": "openEuler-SA-2022-2055",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2055",
+    "title": "An update for python-django is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.(CVE-2021-45115)\r\n\r\nAn issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.(CVE-2021-45116)\r\n\r\nStorage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.(CVE-2021-45452)\r\n\r\nThe {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.(CVE-2022-22818)\r\n\r\nAn issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.(CVE-2022-23833)",
+    "cves": [
+      {
+        "id": "CVE-2022-23833",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23833",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1995": {
+    "id": "openEuler-SA-2023-1995",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1995",
+    "title": "An update for jgit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A pure Java implementation of the Git version control system and command line interface.\r\n\r\nSecurity Fix(es):\r\n\r\nArbitrary File Overwrite in Eclipse JGit <= 6.6.0\r\n\r\nIn Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\r\n\r\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\r\n\r\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\r\n\r\nSetting git configuration option core.symlinks = false before checking out avoids the problem.\r\n\r\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ .\r\n\r\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\r\n\r\n\r\n\r\n(CVE-2023-4759)",
+    "cves": [
+      {
+        "id": "CVE-2023-4759",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4759",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1757": {
+    "id": "openEuler-SA-2023-1757",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1757",
+    "title": "An update for samba is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.(CVE-2023-3961)\r\n\r\nA vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module \"acl_xattr\" is configured with \"acl_xattr:ignore system acls = yes\". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.(CVE-2023-4091)\r\n\r\nA vulnerability was found in Samba's \"rpcecho\" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the \"rpcecho\" service operates with only one worker in the main RPC task, allowing calls to the \"rpcecho\" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a \"sleep()\" call in the \"dcesrv_echo_TestSleep()\" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the \"rpcecho\" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as \"rpcecho\" runs in the main RPC task.(CVE-2023-42669)\r\n\r\nA flaw was found in Samba. It is susceptible to a vulnerability where multiple incompatible RPC listeners can be initiated, causing disruptions in the AD DC service. When Samba's RPC server experiences a high load or unresponsiveness, servers intended for non-AD DC purposes (for example, NT4-emulation \"classic DCs\") can erroneously start and compete for the same unix domain sockets. This issue leads to partial query responses from the AD DC, causing issues such as \"The procedure number is out of range\" when using tools like Active Directory Users. This flaw allows an attacker to disrupt AD DC services.(CVE-2023-42670)",
+    "cves": [
+      {
+        "id": "CVE-2023-42670",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42670",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1115": {
+    "id": "openEuler-SA-2021-1115",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1115",
+    "title": "An update for nss is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.(CVE-2020-12403)\n\nA flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.(CVE-2020-25648)\n\nIn Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.(CVE-2019-17007)",
+    "cves": [
+      {
+        "id": "CVE-2019-17007",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17007",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1193": {
+    "id": "openEuler-SA-2021-1193",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1193",
+    "title": "An update for cifs-utils is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The in-kernel CIFS filesystem is generally the preferred method for mounting SMB/CIFS shares on Linux.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.(CVE-2021-20208)",
+    "cves": [
+      {
+        "id": "CVE-2021-20208",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20208",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1310": {
+    "id": "openEuler-SA-2023-1310",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1310",
+    "title": "An update for webkit2gtk3 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "WebKitGTK is a full-featured port of the WebKit rendering engine,suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. This package contains WebKit2 based WebKitGTK+ for GTK+ 3.\r\n\r\nSecurity Fix(es):\r\n\r\nA use after free vulnerability was found in the webkitgtk package. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2023-32373)\r\n\r\nA flaw was found in the webkitgtk package. An out of bounds read may be possible when processing malicious web content, which can lead to information disclosure.(CVE-2023-28204)\r\n\r\nA flaw was found in the WebGPU, part of the Webkit project. This flaw allows a remote attacker to break out of the Web Content sandbox.(CVE-2023-32409)",
+    "cves": [
+      {
+        "id": "CVE-2023-32409",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32409",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1250": {
+    "id": "openEuler-SA-2021-1250",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1250",
+    "title": "An update for mariadb is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.(CVE-2021-27928)\r\n\r\nA flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.(CVE-2020-15180)",
+    "cves": [
+      {
+        "id": "CVE-2020-15180",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15180",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1196": {
+    "id": "openEuler-SA-2024-1196",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1196",
+    "title": "An update for python-jwcrypto is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Implements JWK, JWS, JWE specifications with python-cryptography\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.(CVE-2023-6681)",
+    "cves": [
+      {
+        "id": "CVE-2023-6681",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6681",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1753": {
+    "id": "openEuler-SA-2023-1753",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1753",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module \"acl_xattr\" is configured with \"acl_xattr:ignore system acls = yes\". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.(CVE-2023-4091)\r\n\r\nA vulnerability was found in Samba's \"rpcecho\" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the \"rpcecho\" service operates with only one worker in the main RPC task, allowing calls to the \"rpcecho\" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a \"sleep()\" call in the \"dcesrv_echo_TestSleep()\" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the \"rpcecho\" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as \"rpcecho\" runs in the main RPC task.(CVE-2023-42669)",
+    "cves": [
+      {
+        "id": "CVE-2023-42669",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42669",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1003": {
+    "id": "openEuler-SA-2021-1003",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1003",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14351)\n\nAn issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.(CVE-2020-27675)\n\nA flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-25656)\n\nImproper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.(CVE-2020-12352)\n\nA locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.(CVE-2020-29661)\n\nA flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.(CVE-2020-27777)\n\nA locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.(CVE-2020-29660)\n\nAn issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.(CVE-2020-29569)\n\nA flaw was found in the JFS filesystem code. This flaw allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-27815)\n\nA vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.(CVE-2020-27830)",
+    "cves": [
+      {
+        "id": "CVE-2020-27830",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27830",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1449": {
+    "id": "openEuler-SA-2023-1449",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1449",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Samba is a suite of programs for Linux and Unix to interoperate with Windows.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.(CVE-2022-2127)\n\nAn infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.(CVE-2023-34966)\n\nA Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.(CVE-2023-34967)",
+    "cves": [
+      {
+        "id": "CVE-2023-34967",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34967",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1344": {
+    "id": "openEuler-SA-2024-1344",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1344",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: act_ct: fix wild memory access when clearing fragments\r\n\r\nwhile testing re-assembly/re-fragmentation using act_ct, it's possible to\nobserve a crash like the following one:\r\n\r\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S                5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS:  0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  <IRQ>\n  inet_frag_destroy+0xa9/0x150\n  call_timer_fn+0x2d/0x180\n  run_timer_softirq+0x4fe/0xe70\n  __do_softirq+0x197/0x5a0\n  irq_exit_rcu+0x1de/0x200\n  sysvec_apic_timer_interrupt+0x6b/0x80\n  </IRQ>\r\n\r\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.(CVE-2021-47014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nudp: skip L4 aggregation for UDP tunnel packets\r\n\r\nIf NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there\nare UDP tunnels available in the system, udp_gro_receive() could end-up\ndoing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at\nthe outer UDP tunnel level for packets effectively carrying and UDP\ntunnel header.\r\n\r\nThat could cause inner protocol corruption. If e.g. the relevant\npackets carry a vxlan header, different vxlan ids will be ignored/\naggregated to the same GSO packet. Inner headers will be ignored, too,\nso that e.g. TCP over vxlan push packets will be held in the GRO\nengine till the next flush, etc.\r\n\r\nJust skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the\ncurrent packet could land in a UDP tunnel, and let udp_gro_receive()\ndo GRO via udp_sk(sk)->gro_receive.\r\n\r\nThe check implemented in this patch is broader than what is strictly\nneeded, as the existing UDP tunnel could be e.g. configured on top of\na different device: we could end-up skipping GRO at-all for some packets.\r\n\r\nAnyhow, that is a very thin corner case and covering it will add quite\na bit of complexity.\r\n\r\nv1 -> v2:\n - hopefully clarify the commit message(CVE-2021-47036)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: pvrusb2: fix use after free on context disconnection\r\n\r\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.(CVE-2023-52445)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: add check that partition length needs to be aligned with block size\r\n\r\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.(CVE-2023-52458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\r\n\r\nsyzbot reported the following uninit-value access issue:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\r\n\r\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\r\n\r\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\r\n\r\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.(CVE-2023-52528)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\r\n\r\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.(CVE-2023-52593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix slab-out-of-bounds Read in dtSearch\r\n\r\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\r\n\r\nDave:\nSet return code to -EIO(CVE-2023-52602)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nUBSAN: array-index-out-of-bounds in dtSplitRoot\r\n\r\nSyzkaller reported the following issue:\r\n\r\noop0: detected capacity change from 0 to 32768\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n </TASK>\r\n\r\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\r\n\r\nSyzkaller reported the following issue:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\nKernel Offset: disabled\nRebooting in 86400 seconds..\r\n\r\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\r\n\r\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52604)\r\n\r\nInteger Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.(CVE-2024-23307)\r\n\r\nA race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n\r\n\r\n\n(CVE-2024-24855)",
+    "cves": [
+      {
+        "id": "CVE-2024-24855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1690": {
+    "id": "openEuler-SA-2022-1690",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1690",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nsd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.(CVE-2020-13253)\r\n\r\nAn infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-20257)",
+    "cves": [
+      {
+        "id": "CVE-2021-20257",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20257",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1867": {
+    "id": "openEuler-SA-2024-1867",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1867",
+    "title": "An update for python-pip is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        20.2.2 Release:        4 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:        https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch3:         remove-existing-dist-only-if-path-conflicts.patch Patch6000:      dummy-certifi.patch Patch6001:      backport-CVE-2021-3572.patch\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\r\n\r\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
+    "cves": [
+      {
+        "id": "CVE-2024-37891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1009": {
+    "id": "openEuler-SA-2023-1009",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1009",
+    "title": "An update for ImageMagick is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.(CVE-2022-32547)",
+    "cves": [
+      {
+        "id": "CVE-2022-32547",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1906": {
+    "id": "openEuler-SA-2022-1906",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1906",
+    "title": "An update for poppler is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Poppler is a free software utility library for rendering Portable Document Format (PDF) documents. \\Its development is supported by freedesktop.org. It is commonly used on Linux systems,and is used by \\the PDF viewers of the open source GNOME and KDE desktop environments.\r\n\r\nSecurity Fix(es):\r\n\r\nPoppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.(CVE-2022-38784)",
+    "cves": [
+      {
+        "id": "CVE-2022-38784",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38784",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1646": {
+    "id": "openEuler-SA-2023-1646",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1646",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1337": {
+    "id": "openEuler-SA-2024-1337",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1337",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019)",
+    "cves": [
+      {
+        "id": "CVE-2023-3019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3019",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1844": {
+    "id": "openEuler-SA-2022-1844",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1844",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThe Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.(CVE-2022-36123)\n\nIn v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel(CVE-2022-20369)",
+    "cves": [
+      {
+        "id": "CVE-2022-20369",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20369",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1221": {
+    "id": "openEuler-SA-2024-1221",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1221",
+    "title": "An update for jss is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "JSS offers a implementation for java-based applications to use native NSS.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.(CVE-2021-4213)",
+    "cves": [
+      {
+        "id": "CVE-2021-4213",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4213",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1413": {
+    "id": "openEuler-SA-2024-1413",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1413",
+    "title": "An update for libxml2 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library.\r\n\r\nSecurity Fix(es):\r\n\r\nNULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.(CVE-2022-2309)",
+    "cves": [
+      {
+        "id": "CVE-2022-2309",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2309",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1423": {
+    "id": "openEuler-SA-2023-1423",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1423",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nA use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nRacing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer.\n\nWe recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).\n\n(CVE-2023-3389)",
+    "cves": [
+      {
+        "id": "CVE-2023-3389",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3389",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1216": {
+    "id": "openEuler-SA-2024-1216",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1216",
+    "title": "An update for OpenEXR is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.\n(CVE-2023-5841)",
+    "cves": [
+      {
+        "id": "CVE-2023-5841",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1568": {
+    "id": "openEuler-SA-2023-1568",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1568",
+    "title": "An update for libpq is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\n** DISPUTED ** An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).(CVE-2020-21469)\r\n\r\nschema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.(CVE-2023-2454)\r\n\r\nRow security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.(CVE-2023-2455)\r\n\r\nIN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)\r\n\r\nA vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.(CVE-2023-39418)",
+    "cves": [
+      {
+        "id": "CVE-2023-39418",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1142": {
+    "id": "openEuler-SA-2023-1142",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1142",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nThe public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215)\r\n\r\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286)\r\n\r\nA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304)\r\n\r\nThe function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450)",
+    "cves": [
+      {
+        "id": "CVE-2022-4450",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1938": {
+    "id": "openEuler-SA-2023-1938",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1938",
+    "title": "An update for fish is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "fish is a fully-equipped command line shell (like bash or zsh) that is smart and user-friendly. fish supports powerful features like syntax highlighting, autosuggestions, and tab completions that just work, with nothing to learn or configure.\r\n\r\nSecurity Fix(es):\r\n\r\nfish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \\UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49284)",
+    "cves": [
+      {
+        "id": "CVE-2023-49284",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49284",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1617": {
+    "id": "openEuler-SA-2023-1617",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1617",
+    "title": "An update for openjdk-11 is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).  Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22036)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1002": {
+    "id": "openEuler-SA-2023-1002",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1002",
+    "title": "An update for rubygem-dalli is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "High performance memcached client for Ruby\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Dalli. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue. VDB-214026 is the identifier assigned to this vulnerability.(CVE-2022-4064)",
+    "cves": [
+      {
+        "id": "CVE-2022-4064",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4064",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1492": {
+    "id": "openEuler-SA-2024-1492",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1492",
+    "title": "An update for atril is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Mate-document-viewer is simple document viewer. It can display and print Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS), DVI, DJVU, epub and XPS files. When supported by the document format, mate-document-viewer allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks and editing of forms.\r\n\r\nSecurity Fix(es):\r\n\r\nAtril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.\n(CVE-2023-51698)\r\n\r\nAtril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.(CVE-2023-52076)",
+    "cves": [
+      {
+        "id": "CVE-2023-52076",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52076",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1477": {
+    "id": "openEuler-SA-2021-1477",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1477",
+    "title": "An update for keepalived is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "High Availability monitor built upon LVS, VRRP and service pollers.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property(CVE-2021-44225)",
+    "cves": [
+      {
+        "id": "CVE-2021-44225",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44225",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1267": {
+    "id": "openEuler-SA-2021-1267",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1267",
+    "title": "An update for linuxptp is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Linuxptp is an implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs and other platforms is not a goal.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the ptp4l program of the linuxptp package. When ptp4l is operating on a little-endian architecture as a PTP transparent clock, a remote attacker could send a crafted one-step sync message to cause an information leak or crash. The highest threat from this vulnerability is to data confidentiality and system availability. This flaw affects linuxptp versions before 3.1.1 and before 2.0.1.(CVE-2021-3571)",
+    "cves": [
+      {
+        "id": "CVE-2021-3571",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3571",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2101": {
+    "id": "openEuler-SA-2022-2101",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2101",
+    "title": "An update for exiv2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata.It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Exiv2 and classified as problematic. This issue affects the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to null pointer dereference. The attack may be initiated remotely. The name of the patch is 6bb956ad808590ce2321b9ddf6772974da27c4ca. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212495.(CVE-2022-3755)",
+    "cves": [
+      {
+        "id": "CVE-2022-3755",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3755",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1259": {
+    "id": "openEuler-SA-2023-1259",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1259",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in \"/tmp,\" resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.(CVE-2023-1289)\r\n\r\nA heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-1906)",
+    "cves": [
+      {
+        "id": "CVE-2023-1906",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1495": {
+    "id": "openEuler-SA-2024-1495",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1495",
+    "title": "An update for pcp is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "PCP provides a range of services that may be used to monitor and manage system performance. These services are distributed and scalable to accommodate the most complex system configurations and performance problems.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.(CVE-2024-3019)",
+    "cves": [
+      {
+        "id": "CVE-2024-3019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3019",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1184": {
+    "id": "openEuler-SA-2023-1184",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1184",
+    "title": "An update for redis is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.(CVE-2022-36021)",
+    "cves": [
+      {
+        "id": "CVE-2022-36021",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36021",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2034": {
+    "id": "openEuler-SA-2022-2034",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2034",
+    "title": "An update for strongswan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nstrongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.(CVE-2022-40617)",
+    "cves": [
+      {
+        "id": "CVE-2022-40617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40617",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1418": {
+    "id": "openEuler-SA-2024-1418",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1418",
+    "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.(CVE-2023-7250)",
+    "cves": [
+      {
+        "id": "CVE-2023-7250",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7250",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1243": {
+    "id": "openEuler-SA-2021-1243",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1243",
+    "title": "An update for libgcrypt is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Libgcrypt is a general purpose cryptographic library originally based on code from GnuPG.\r\n\r\nSecurity Fix(es):\r\n\r\nLibgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.(CVE-2021-33560)",
+    "cves": [
+      {
+        "id": "CVE-2021-33560",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1334": {
+    "id": "openEuler-SA-2024-1334",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1334",
+    "title": "An update for mod_security is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279)",
+    "cves": [
+      {
+        "id": "CVE-2022-48279",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1730": {
+    "id": "openEuler-SA-2022-1730",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1730",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nNFC: netlink: fix sleep in atomic bug when firmware download timeout(CVE-2022-1975)\r\n\r\nIn various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-182388481References: Upstream kernel(CVE-2022-20166)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.(CVE-2022-1852)",
+    "cves": [
+      {
+        "id": "CVE-2022-1852",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1852",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1075": {
+    "id": "openEuler-SA-2024-1075",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1075",
+    "title": "An update for proftpd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. %if 1 This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included. %else This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. %endif\r\n\r\nSecurity Fix(es):\r\n\r\nmake_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.(CVE-2023-51713)",
+    "cves": [
+      {
+        "id": "CVE-2023-51713",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51713",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1109": {
+    "id": "openEuler-SA-2023-1109",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1109",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.(CVE-2022-3707)\r\n\r\nA NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.(CVE-2023-0394)\r\n\r\nA use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem leading to a denial-of-service problem. \r\n\r\nReference:\nhttps://lore.kernel.org/all/20221018203258.2793282-1-edumazet@google.com/\r\n\r\n\nCrash:\n    BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066\n    Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027\n    \n    CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0\n    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\n    Call Trace:\n    <TASK>\n    __dump_stack lib/dump_stack.c:88 [inline]\n    dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n    print_address_description mm/kasan/report.c:317 [inline]\n    print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n    kasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n    __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066\n    __tcf_qdisc_find net/sched/cls_api.c:1051 [inline]\n    tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018\n    rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081\n    netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501\n    netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n    netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345\n    netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921\n    sock_sendmsg_nosec net/socket.c:714 [inline]\n    sock_sendmsg+0xcf/0x120 net/socket.c:734\n    ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482\n    ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n    __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n    do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    entry_SYSCALL_64_after_hwframe+0x63/0xcd\n    RIP: 0033:0x7f5efaa89279(CVE-2023-0590)",
+    "cves": [
+      {
+        "id": "CVE-2023-0590",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0590",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1750": {
+    "id": "openEuler-SA-2023-1750",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1750",
+    "title": "An update for mariadb is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.(CVE-2023-5157)",
+    "cves": [
+      {
+        "id": "CVE-2023-5157",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5157",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1478": {
+    "id": "openEuler-SA-2024-1478",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1478",
+    "title": "An update for apache-mime4j is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
+    "cves": [
+      {
+        "id": "CVE-2024-21742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1845": {
+    "id": "openEuler-SA-2022-1845",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1845",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nst21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters.(CVE-2022-26490)\r\n\r\nThe Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.(CVE-2022-36123)\n\nA use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local, privileged attacker to crash the system, possibly leading to a local privilege escalation issue.(CVE-2022-2588)\n\nIt was discovered that when exec ing from a non-leader thread, armed POSIX CPU timers would be left on a list but freed, leading to a use-after-free.(CVE-2022-2585)",
+    "cves": [
+      {
+        "id": "CVE-2022-2585",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2585",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1852": {
+    "id": "openEuler-SA-2022-1852",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1852",
+    "title": "An update for m2crypto is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "M2Crypto is a crypto and SSL toolkit for Python. It allows you to call OpenSSL functions from Python2 scripts.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.(CVE-2020-25657)",
+    "cves": [
+      {
+        "id": "CVE-2020-25657",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25657",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1494": {
+    "id": "openEuler-SA-2023-1494",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1494",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.(CVE-2023-3863)\r\n\r\nA use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4132)",
+    "cves": [
+      {
+        "id": "CVE-2023-4132",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4132",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1972": {
+    "id": "openEuler-SA-2022-1972",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1972",
+    "title": "An update for unbound is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.(CVE-2022-3204)",
+    "cves": [
+      {
+        "id": "CVE-2022-3204",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3204",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1427": {
+    "id": "openEuler-SA-2023-1427",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1427",
+    "title": "An update for ruby is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\n\nSecurity Fix(es):\n\nA ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.(CVE-2023-36617)",
+    "cves": [
+      {
+        "id": "CVE-2023-36617",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36617",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1706": {
+    "id": "openEuler-SA-2023-1706",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1706",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nRTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file(CVE-2023-5371)",
+    "cves": [
+      {
+        "id": "CVE-2023-5371",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5371",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1840": {
+    "id": "openEuler-SA-2023-1840",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1840",
+    "title": "An update for python-urllib3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Sanity-friendly HTTP client for Python\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)",
+    "cves": [
+      {
+        "id": "CVE-2023-45803",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1006": {
+    "id": "openEuler-SA-2023-1006",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1006",
+    "title": "An update for curl is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and shut down the code path in its transfer.(CVE-2022-43552)",
+    "cves": [
+      {
+        "id": "CVE-2022-43552",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1417": {
+    "id": "openEuler-SA-2021-1417",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1417",
+    "title": "An update for samba is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.(CVE-2021-3671)",
+    "cves": [
+      {
+        "id": "CVE-2021-3671",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3671",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1646": {
+    "id": "openEuler-SA-2022-1646",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1646",
+    "title": "An update for selinux-policy is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "SELinux Base package for SELinux Reference Policy - modular.\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.(CVE-2020-24612)",
+    "cves": [
+      {
+        "id": "CVE-2020-24612",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24612",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1451": {
+    "id": "openEuler-SA-2024-1451",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1451",
+    "title": "An update for python-pillow is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \\ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.   %package -n python3-pillow Summary:        Python 3 image processing library  Provides:       python3-imaging = -\r\n\r\nSecurity Fix(es):\r\n\r\nIn _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.(CVE-2024-28219)",
+    "cves": [
+      {
+        "id": "CVE-2024-28219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28219",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1677": {
+    "id": "openEuler-SA-2022-1677",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1677",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\n\n\nSecurity Fix(es):\n\nA NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.(CVE-2022-1205)\n\nUAF causes the system to crash Exploit conditions: The root user reduces the reference count of drm_vgem_gem_object through ioctl$DRM_IOCTL_MODE_DESTROY_DUMB, and vgem_gem_dumb_create will access the released drm_vgem_gem_object Technical reason: The gpu driver can reduce the reference count of drm_vgem_gem_object through ioctl Concurrency causes uaf judgment method: CONFIG_DRM is not configured No circumvention measures are involved: none(CVE-2022-1419)\n\nA concurrency use-after-free issue was discovered between reset_interrupt and floppy_end_request in the latest kernel version (5.17.5 for now).    The root cause is that after deallocating current_req in floppy_end_request, reset_interrupt still holds the freed current_req->error_count and accesses it concurrently.(CVE-2022-1652)",
+    "cves": [
+      {
+        "id": "CVE-2022-1652",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1652",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1643": {
+    "id": "openEuler-SA-2023-1643",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1643",
+    "title": "An update for openjdk-1.8.0 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment 8.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549)\r\n\r\nAn issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and  21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound).  Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and  22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049)",
+    "cves": [
+      {
+        "id": "CVE-2023-22049",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22049",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1312": {
+    "id": "openEuler-SA-2024-1312",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1312",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019)\r\n\r\nA flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.(CVE-2023-6683)\r\n\r\nA stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.(CVE-2023-6693)",
+    "cves": [
+      {
+        "id": "CVE-2023-6693",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6693",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1394": {
+    "id": "openEuler-SA-2021-1394",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1394",
+    "title": "An update for redis is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nRedis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32672)",
+    "cves": [
+      {
+        "id": "CVE-2021-32672",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32672",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1374": {
+    "id": "openEuler-SA-2024-1374",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1374",
+    "title": "An update for unixODBC is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The unixODBC Project goals are to develop and promote unixODBC to be the definitive standard for ODBC on non MS Windows platforms. This is to include GUI support for both KDE and GNOME.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.(CVE-2024-1013)",
+    "cves": [
+      {
+        "id": "CVE-2024-1013",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1013",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1250": {
+    "id": "openEuler-SA-2024-1250",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1250",
+    "title": "An update for containers-common is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.(CVE-2022-32148)",
+    "cves": [
+      {
+        "id": "CVE-2022-32148",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32148",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1336": {
+    "id": "openEuler-SA-2021-1336",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1336",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "he Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.(CVE-2021-3640)",
+    "cves": [
+      {
+        "id": "CVE-2021-3640",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3640",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1955": {
+    "id": "openEuler-SA-2023-1955",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1955",
+    "title": "An update for freeradius is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\r\n\r\nSecurity Fix(es):\r\n\r\nIn freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.(CVE-2022-41859)",
+    "cves": [
+      {
+        "id": "CVE-2022-41859",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41859",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1772": {
+    "id": "openEuler-SA-2022-1772",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1772",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2021-4158)\n\nA flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This issue allows a malicious user to trigger CVE-2018-13405 to obtain sensitive information or potentially escalate their privileges on the system.(CVE-2022-0358)",
+    "cves": [
+      {
+        "id": "CVE-2022-0358",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0358",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1190": {
+    "id": "openEuler-SA-2024-1190",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1190",
+    "title": "An update for ansible is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. %if 0 Provides:            ansible-python3 = - Obsoletes:           ansible-python3 < - BuildRequires:       python3-devel python3-setuptools BuildRequires:       python3-PyYAML python3-paramiko python3-crypto python3-packaging BuildRequires:       python3-pexpect python3-winrm BuildRequires:       git-core %if %with_docs BuildRequires:       python3-sphinx python3-sphinx-theme-alabaster asciidoc %endif BuildRequires:       python3-six python3-nose python3-pytest python3-pytest-xdist BuildRequires:       python3-pytest-mock python3-requests python3-coverage python3-mock BuildRequires:       python3-boto3 python3-botocore python3-passlib python3-jinja2 Requires:            python3-PyYAML python3-paramiko python3-crypto python3-setuptools python3-six Requires:            python3-jinja2 sshpass python3-jmespath %description Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. This package installs versions of ansible that execute on Python3. %endif\r\n\r\nSecurity Fix(es):\r\n\r\nAn information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.(CVE-2024-0690)",
+    "cves": [
+      {
+        "id": "CVE-2024-0690",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1271": {
+    "id": "openEuler-SA-2024-1271",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1271",
+    "title": "An update for A-Tune-Collector is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "A-Tune-Collector is used to collect various system resources.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the get method in the sched.py file in the A-Tune-Collector software package is used to obtain the process ID, shell command combination and injection risks exist. This flaw could lead to remote arbitrary command execution.(CVE-2024-24897)",
+    "cves": [
+      {
+        "id": "CVE-2024-24897",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1697": {
+    "id": "openEuler-SA-2023-1697",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1697",
+    "title": "An update for python-gevent is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "gevent is a coroutine -based Python networking library that uses greenlet to provide a high-level synchronous API on top of the libev or libuv event loop.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.(CVE-2023-41419)",
+    "cves": [
+      {
+        "id": "CVE-2023-41419",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41419",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1843": {
+    "id": "openEuler-SA-2023-1843",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1843",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.(CVE-2022-45884)\r\n\r\nRejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-35823. Reason: This candidate is a reservation duplicate of CVE-2023-35823. Notes: All CVE users should reference CVE-2023-35823 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2023-3327)\r\n\r\nA race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.(CVE-2023-39198)\r\n\r\nA use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.\r\n\r\nIf a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.\r\n\r\nWe recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.\r\n\r\n(CVE-2023-4623)\r\n\r\nA use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\r\n\r\nAddition and removal of rules from chain bindings within the same transaction causes leads to use-after-free.\r\n\r\nWe recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.\r\n\r\n(CVE-2023-5197)",
+    "cves": [
+      {
+        "id": "CVE-2023-5197",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5197",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1967": {
+    "id": "openEuler-SA-2023-1967",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1967",
+    "title": "An update for jettison is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Jettison is a collection of Java APIs (like STaX and DOM) which read and write JSON. This allows nearly transparent enablement of JSON based web services in services frameworks like CXF or XML serialization frameworks like XStream.\r\n\r\nSecurity Fix(es):\r\n\r\nAn infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\r\n\r\n(CVE-2023-1436)",
+    "cves": [
+      {
+        "id": "CVE-2023-1436",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1542": {
+    "id": "openEuler-SA-2024-1542",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1542",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\r\n\r\nSecurity Fix(es):\r\n\r\nFreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to a possible `NULL` access and crash. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32661)",
+    "cves": [
+      {
+        "id": "CVE-2024-32661",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32661",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1698": {
+    "id": "openEuler-SA-2023-1698",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1698",
+    "title": "An update for python-gevent is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "gevent is a coroutine -based Python networking library that uses greenlet to provide a high-level synchronous API on top of the libev or libuv event loop.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.(CVE-2023-41419)",
+    "cves": [
+      {
+        "id": "CVE-2023-41419",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41419",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1009": {
+    "id": "openEuler-SA-2024-1009",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1009",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827)\r\n\r\nAn out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6606)\r\n\r\nAn out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610)",
+    "cves": [
+      {
+        "id": "CVE-2023-6610",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6610",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1428": {
+    "id": "openEuler-SA-2024-1428",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1428",
+    "title": "An update for wireshark is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666)",
+    "cves": [
+      {
+        "id": "CVE-2023-0666",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0666",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1150": {
+    "id": "openEuler-SA-2021-1150",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1150",
+    "title": "An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "A ruby wrapper for ImageMagick command line. Using MiniMagick the ruby processes memory remains small (it spawns ImageMagick's command line program mogrify which takes up some memory as well, but is much smaller compared to RMagick).\r\n\r\nSecurity Fix(es):\r\n\r\nIn lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.(CVE-2019-13574)",
+    "cves": [
+      {
+        "id": "CVE-2019-13574",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13574",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1665": {
+    "id": "openEuler-SA-2022-1665",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1665",
+    "title": "An update for nodejs-minimist is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "This module is the guts of optimist's argument parser without all the fanciful decoration.\n\nSecurity Fix(es):\n\nMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).(CVE-2021-44906)",
+    "cves": [
+      {
+        "id": "CVE-2021-44906",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1877": {
+    "id": "openEuler-SA-2024-1877",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1877",
+    "title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\r\n\r\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\r\n\r\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
+    "cves": [
+      {
+        "id": "CVE-2024-32230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1863": {
+    "id": "openEuler-SA-2023-1863",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1863",
+    "title": "An update for perl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Perl 5 is a highly capable, feature-rich programming language with over 30 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large scale development projects.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.(CVE-2023-47038)",
+    "cves": [
+      {
+        "id": "CVE-2023-47038",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1721": {
+    "id": "openEuler-SA-2022-1721",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1721",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nIn PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.(CVE-2022-31626)\r\n\r\nIn PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.(CVE-2022-31625)",
+    "cves": [
+      {
+        "id": "CVE-2022-31625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31625",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1172": {
+    "id": "openEuler-SA-2021-1172",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1172",
+    "title": "An update for redis is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Redis is an advanced key-value store. It is often referred to as a dattructure server since keys can contain strings, hashes ,lists, sets anorted sets.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc malloc.(CVE-2021-3470)",
+    "cves": [
+      {
+        "id": "CVE-2021-3470",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3470",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2054": {
+    "id": "openEuler-SA-2022-2054",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2054",
+    "title": "An update for haproxy is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. \r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the way HAProxy processed HTTP responses containing the \"Set-Cookie2\" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.(CVE-2022-0711)",
+    "cves": [
+      {
+        "id": "CVE-2022-0711",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0711",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1159": {
+    "id": "openEuler-SA-2021-1159",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1159",
+    "title": "An update for rubygem-kramdown is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The package is fast yet-another-markdown-parser, pure Ruby, using a strict syntax definition and supporting several common extensions.\r\n\r\nSecurity Fix(es):\r\n\r\nKramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.(CVE-2021-28834)",
+    "cves": [
+      {
+        "id": "CVE-2021-28834",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28834",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1170": {
+    "id": "openEuler-SA-2024-1170",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1170",
+    "title": "An update for nodejs is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)",
+    "cves": [
+      {
+        "id": "CVE-2023-44487",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1441": {
+    "id": "openEuler-SA-2024-1441",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1441",
+    "title": "An update for libgsasl is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The library includes support for the SASL framework and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, and NTLM mechanisms.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469)",
+    "cves": [
+      {
+        "id": "CVE-2022-2469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1225": {
+    "id": "openEuler-SA-2021-1225",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1225",
+    "title": "An update for nginx is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.\n\nSecurity Fix(es):\n\nA security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.(CVE-2021-23017)",
+    "cves": [
+      {
+        "id": "CVE-2021-23017",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1205": {
+    "id": "openEuler-SA-2023-1205",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1205",
+    "title": "An update for sudo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.  The basic philosophy is to give as few privileges as possible but still allow people to get their work done.\r\n\r\nSecurity Fix(es):\r\n\r\nSudo before 1.9.13 does not escape control characters in sudoreplay output.(CVE-2023-28487)\r\n\r\nSudo before 1.9.13 does not escape control characters in log messages.(CVE-2023-28486)",
+    "cves": [
+      {
+        "id": "CVE-2023-28486",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28486",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1618": {
+    "id": "openEuler-SA-2022-1618",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1618",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nSquid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.(CVE-2021-28116)",
+    "cves": [
+      {
+        "id": "CVE-2021-28116",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28116",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2035": {
+    "id": "openEuler-SA-2022-2035",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2035",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\ndrivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.(CVE-2022-40768)\r\n\r\nA vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.(CVE-2022-3621)\r\n\r\nA vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability.(CVE-2022-3635)\r\n\r\ndrivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.(CVE-2022-43750)\n\nA vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.(CVE-2022-3629)\n\nA vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.(CVE-2022-3646)\n\nA flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service.(CVE-2022-3586)",
+    "cves": [
+      {
+        "id": "CVE-2022-3586",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3586",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1331": {
+    "id": "openEuler-SA-2021-1331",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1331",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\narch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.(CVE-2021-38198)",
+    "cves": [
+      {
+        "id": "CVE-2021-38198",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38198",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1641": {
+    "id": "openEuler-SA-2022-1641",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1641",
+    "title": "An update for perl-DBI is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The DBI is the standard database interface module for Perl.It defines a set of methods, variables and conventions that providea consistent database interface independent of the actual database being used.It is important to remember that the DBI is just an interface.The DBI is a layer of \"glue\" between an application and one or more database driver modules.It is the driver modules which do most of the real work. The DBI provides a standard interface and framework for the drivers to operate within.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.(CVE-2014-10402)",
+    "cves": [
+      {
+        "id": "CVE-2014-10402",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-10402",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1765": {
+    "id": "openEuler-SA-2022-1765",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1765",
+    "title": "An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.\r\n\r\nSecurity Fix(es):\r\n\r\nGit is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.(CVE-2022-29187)",
+    "cves": [
+      {
+        "id": "CVE-2022-29187",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29187",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1729": {
+    "id": "openEuler-SA-2024-1729",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1729",
+    "title": "An update for iperf3 is now available for openEuler-24.03-LTS",
+    "severity": "Low",
+    "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in \"Everlasting ROBOT: the Marvin Attack\" by Hubert Kario.(CVE-2024-26306)",
+    "cves": [
+      {
+        "id": "CVE-2024-26306",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26306",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1119": {
+    "id": "openEuler-SA-2024-1119",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1119",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.(CVE-2023-40547)\r\n\r\nA buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.(CVE-2023-40548)\r\n\r\nAn out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.(CVE-2023-40549)\r\n\r\nAn out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.(CVE-2023-40550)\r\n\r\nA flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551)",
+    "cves": [
+      {
+        "id": "CVE-2023-40551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40551",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1747": {
+    "id": "openEuler-SA-2023-1747",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1747",
+    "title": "An update for xerces-j2 is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2018-2799)",
+    "cves": [
+      {
+        "id": "CVE-2018-2799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1096": {
+    "id": "openEuler-SA-2024-1096",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1096",
+    "title": "An update for pam is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "PAM (Pluggable Authentication Modules) is a system of libraries that handle the authentication tasks of applications (services) on the system.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Linux PAM. An unprivileged user that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir can place a FIFO there, and a subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block the attempt, causing a local denial of service.(CVE-2024-22365)",
+    "cves": [
+      {
+        "id": "CVE-2024-22365",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1351": {
+    "id": "openEuler-SA-2024-1351",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1351",
+    "title": "An update for libgsasl is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The library includes support for the SASL framework and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, and NTLM mechanisms.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469)",
+    "cves": [
+      {
+        "id": "CVE-2022-2469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2469",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1658": {
+    "id": "openEuler-SA-2024-1658",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1658",
+    "title": "An update for python-tqdm is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "tqdm derives from the Arabic word taqaddum which can mean \"progress\". Instantly  make your loops show a smart progress meter - just wrap any iterable with  tqdm(interable), and you are done!\r\n\r\nSecurity Fix(es):\r\n\r\ntqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-34062)",
+    "cves": [
+      {
+        "id": "CVE-2024-34062",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34062",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1851": {
+    "id": "openEuler-SA-2022-1851",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1851",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it s off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can t affect adjacent memory blocks, and thus just leads to a crash while processing.(CVE-2019-12521)",
+    "cves": [
+      {
+        "id": "CVE-2019-12521",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12521",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1021": {
+    "id": "openEuler-SA-2023-1021",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1021",
+    "title": "An update for jetty is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.(CVE-2022-2048)\r\n\r\nIn Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.(CVE-2022-2047)",
+    "cves": [
+      {
+        "id": "CVE-2022-2047",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1810": {
+    "id": "openEuler-SA-2024-1810",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1810",
+    "title": "An update for rubygem-actionpack is now available for openEuler-22.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.\r\n\r\nSecurity Fix(es):\r\n\r\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633)",
+    "cves": [
+      {
+        "id": "CVE-2022-23633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1030": {
+    "id": "openEuler-SA-2024-1030",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1030",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nopeneuler-linux-kernel-4.19.0-cbs_destroy-NULL-ptr-deref-391216(CVE-2021-33630)\r\n\r\nopeneuler-linux-kernel-5.10.149-ext4_write_inline_data-kernel_bug-365020(CVE-2021-33631)\r\n\r\nAn out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.\r\n\r\nA perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().\r\n\r\nWe recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.\r\n\r\n(CVE-2023-6931)\r\n\r\nA use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.\r\n\r\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\r\n\r\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.\r\n\r\n(CVE-2023-6932)",
+    "cves": [
+      {
+        "id": "CVE-2023-6932",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1421": {
+    "id": "openEuler-SA-2024-1421",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1421",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nQEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.(CVE-2024-24474)",
+    "cves": [
+      {
+        "id": "CVE-2024-24474",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24474",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1615": {
+    "id": "openEuler-SA-2022-1615",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1615",
+    "title": "An update for bind is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nBIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.(CVE-2021-25220)\n\n\nBIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.(CVE-2022-0396)",
+    "cves": [
+      {
+        "id": "CVE-2022-0396",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0396",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1617": {
+    "id": "openEuler-SA-2022-1617",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1617",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a \"PVRDMA_REG_DSRHIGH\" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2021-3607)\r\n\r\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a \"PVRDMA_REG_DSRHIGH\" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.(CVE-2021-3608)",
+    "cves": [
+      {
+        "id": "CVE-2021-3608",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3608",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1696": {
+    "id": "openEuler-SA-2024-1696",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1696",
+    "title": "An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\r\n\r\nSecurity Fix(es):\r\n\r\naiosmptd is  a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.(CVE-2024-34083)",
+    "cves": [
+      {
+        "id": "CVE-2024-34083",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34083",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1730": {
+    "id": "openEuler-SA-2024-1730",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1730",
+    "title": "An update for microcode_ctl is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "This is a tool to transform and deploy microcode update for x86 CPUs.\r\n\r\nSecurity Fix(es):\r\n\r\nHardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.(CVE-2023-45733)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-45745)\r\n\r\nSequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-46103)\r\n\r\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-47855)",
+    "cves": [
+      {
+        "id": "CVE-2023-47855",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47855",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1091": {
+    "id": "openEuler-SA-2024-1091",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1091",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures. The project strives to provide a secure communications back-end, simple to use and integrated with the rest of the base Linux libraries. A back-end designed to work and be secure out of the box, keeping the complexity of TLS and PKI out of application code.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553)",
+    "cves": [
+      {
+        "id": "CVE-2024-0553",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0553",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1993": {
+    "id": "openEuler-SA-2022-1993",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1993",
+    "title": "An update for dhcp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.\r\n\r\nSecurity Fix(es):\r\n\r\nIn BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.(CVE-2021-25215)\r\n\r\nIn BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.(CVE-2021-25214)\r\n\r\nIn BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.(CVE-2021-25219)\r\n\r\nBIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.(CVE-2021-25220)",
+    "cves": [
+      {
+        "id": "CVE-2021-25220",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25220",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1122": {
+    "id": "openEuler-SA-2024-1122",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1122",
+    "title": "An update for erlang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)",
+    "cves": [
+      {
+        "id": "CVE-2023-48795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1102": {
+    "id": "openEuler-SA-2023-1102",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1102",
+    "title": "An update for rubygem-globalid is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "URIs for your models makes it easy to pass references around.\r\n\r\nSecurity Fix(es):\r\n\r\nA ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22799)",
+    "cves": [
+      {
+        "id": "CVE-2023-22799",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22799",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1686": {
+    "id": "openEuler-SA-2024-1686",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1686",
+    "title": "An update for openjdk-17 is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\r\n\r\nSecurity Fix(es):\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2024-20918)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and  22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2024-20932)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21012)\r\n\r\nVulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2024-21068)",
+    "cves": [
+      {
+        "id": "CVE-2024-21068",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21068",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2068": {
+    "id": "openEuler-SA-2022-2068",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2068",
+    "title": "An update for strongswan is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel.\r\n\r\nSecurity Fix(es):\r\n\r\nIn strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.(CVE-2021-45079)",
+    "cves": [
+      {
+        "id": "CVE-2021-45079",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45079",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1345": {
+    "id": "openEuler-SA-2024-1345",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1345",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: xiic: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in xiic_xfer and xiic_i2c_remove.\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36778)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails\r\n\r\nThe PM reference count is not expected to be incremented on\nreturn in lpi2c_imx_master_enable.\r\n\r\nHowever, pm_runtime_get_sync will increment the PM reference\ncount even failed. Forgetting to putting operation will result\nin a reference leak here.\r\n\r\nReplace it with pm_runtime_resume_and_get to keep usage\ncounter balanced.(CVE-2020-36782)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nHID: usbhid: fix info leak in hid_submit_ctrl\r\n\r\nIn hid_submit_ctrl(), the way of calculating the report length doesn't\ntake into account that report->size can be zero. When running the\nsyzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to\ncalculate transfer_buffer_length as 16384. When this urb is passed to\nthe usb core layer, KMSAN reports an info leak of 16384 bytes.\r\n\r\nTo fix this, first modify hid_report_len() to account for the zero\nreport size case by using DIV_ROUND_UP for the division. Then, call it\nfrom hid_submit_ctrl().(CVE-2021-46906)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: footbridge: fix PCI interrupt mapping\r\n\r\nSince commit 30fdfb929e82 (\"PCI: Add a call to pci_assign_irq() in\npci_device_probe()\"), the PCI code will call the IRQ mapping function\nwhenever a PCI driver is probed. If these are marked as __init, this\ncauses an oops if a PCI driver is loaded or bound after the kernel has\ninitialised.(CVE-2021-46909)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc3: core: Do core softreset when switch mode\r\n\r\n\nAccording to the programming guide, to switch mode for DRD controller,\nthe driver needs to do the following.\r\n\r\nTo switch from device to host:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(host mode)\n3. Reset the host with USBCMD.HCRESET\n4. Then follow up with the initializing host registers sequence\r\n\r\nTo switch from host to device:\n1. Reset controller with GCTL.CoreSoftReset\n2. Set GCTL.PrtCapDir(device mode)\n3. Reset the device with DCTL.CSftRst\n4. Then follow up with the initializing registers sequence\r\n\r\nCurrently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of\nswitching from host to device. John Stult reported a lockup issue seen\nwith HiKey960 platform without these steps[1]. Similar issue is observed\nwith Ferry's testing platform[2].\r\n\r\nSo, apply the required steps along with some fixes to Yu Chen's and John\nStultz's version. The main fixes to their versions are the missing wait\nfor clocks synchronization before clearing GCTL.CoreSoftReset and only\napply DCTL.CSftRst when switching from host to device.\r\n\r\n[1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/\n[2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/(CVE-2021-46941)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nopenvswitch: fix stack OOB read while fragmenting IPv4 packets\r\n\r\nrunning openvswitch on kernels built with KASAN, it's possible to see the\nfollowing splat while testing fragmentation of IPv4 packets:\r\n\r\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888112fc713c by task handler2/1367\r\n\r\n CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n  dump_stack+0x92/0xc1\n  print_address_description.constprop.7+0x1a/0x150\n  kasan_report.cold.13+0x7f/0x111\n  ip_do_fragment+0x1b03/0x1f60\n  ovs_fragment+0x5bf/0x840 [openvswitch]\n  do_execute_actions+0x1bd5/0x2400 [openvswitch]\n  ovs_execute_actions+0xc8/0x3d0 [openvswitch]\n  ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch]\n  genl_family_rcv_msg_doit.isra.15+0x227/0x2d0\n  genl_rcv_msg+0x287/0x490\n  netlink_rcv_skb+0x120/0x380\n  genl_rcv+0x24/0x40\n  netlink_unicast+0x439/0x630\n  netlink_sendmsg+0x719/0xbf0\n  sock_sendmsg+0xe2/0x110\n  ____sys_sendmsg+0x5ba/0x890\n  ___sys_sendmsg+0xe9/0x160\n  __sys_sendmsg+0xd3/0x170\n  do_syscall_64+0x33/0x40\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f957079db07\n Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48\n RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07\n RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019\n RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730\n R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0\r\n\r\n The buggy address belongs to the page:\n page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\r\n\r\n addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame:\n  ovs_fragment+0x0/0x840 [openvswitch]\r\n\r\n this frame has 2 objects:\n  [32, 144) 'ovs_dst'\n  [192, 424) 'ovs_rt'\r\n\r\n Memory state around the buggy address:\n  ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00\n >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00\n                                         ^\n  ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00\r\n\r\nfor IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\r\n\r\n  ip_do_fragment()\n    ip_skb_dst_mtu()\n      ip_dst_mtu_maybe_forward()\n        ip_mtu_locked()\r\n\r\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin ovs_fragment(), similarly to what is done for IPv6 few lines below.(CVE-2021-46955)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nethernet:enic: Fix a use after free bug in enic_hard_start_xmit\r\n\r\nIn enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside\nenic_queue_wq_skb, if some error happens, the skb will be freed\nby dev_kfree_skb(skb). But the freed skb is still used in\nskb_tx_timestamp(skb).\r\n\r\nMy patch makes enic_queue_wq_skb() return error and goto spin_unlock()\nincase of error. The solution is provided by Govind.\nSee https://lkml.org/lkml/2021/4/30/961.(CVE-2021-46998)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook\r\n\r\nThe commit 1879445dfa7b (\"perf/core: Set event's default\n::overflow_handler()\") set a default event->overflow_handler in\nperf_event_alloc(), and replace the check event->overflow_handler with\nis_default_overflow_handler(), but one is missing.\r\n\r\nCurrently, the bp->overflow_handler can not be NULL. As a result,\nenable_single_step() is always not invoked.\r\n\r\nComments from Zhen Lei:\r\n\r\n https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/(CVE-2021-47006)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send\r\n\r\nIn emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).\nIf some error happens in emac_tx_fill_tpd(), the skb will be freed via\ndev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().\nBut the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).\r\n\r\nAs i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,\nthus my patch assigns skb->len to 'len' before the possible free and\nuse 'len' instead of skb->len later.(CVE-2021-47013)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbnxt_en: Fix RX consumer index logic in the error path.\r\n\r\nIn bnxt_rx_pkt(), the RX buffers are expected to complete in order.\nIf the RX consumer index indicates an out of order buffer completion,\nit means we are hitting a hardware bug and the driver will abort all\nremaining RX packets and reset the RX ring.  The RX consumer index\nthat we pass to bnxt_discard_rx() is not correct.  We should be\npassing the current index (tmp_raw_cons) instead of the old index\n(raw_cons).  This bug can cause us to be at the wrong index when\ntrying to abort the next RX packet.  It can crash like this:\r\n\r\n #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007\n #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232\n #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e\n #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978\n #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0\n #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e\n #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24\n #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e\n #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12\n #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5\n    [exception RIP: bnxt_rx_pkt+237]\n    RIP: ffffffffc0259cdd  RSP: ffff9bbcdf5c3d98  RFLAGS: 00010213\n    RAX: 000000005dd8097f  RBX: ffff9ba4cb11b7e0  RCX: ffffa923cf6e9000\n    RDX: 0000000000000fff  RSI: 0000000000000627  RDI: 0000000000001000\n    RBP: ffff9bbcdf5c3e60   R8: 0000000000420003   R9: 000000000000020d\n    R10: ffffa923cf6ec138  R11: ffff9bbcdf5c3e83  R12: ffff9ba4d6f928c0\n    R13: ffff9ba4cac28080  R14: ffff9ba4cb11b7f0  R15: ffff9ba4d5a30000\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018(CVE-2021-47015)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvsock/virtio: free queued packets when closing socket\r\n\r\nAs reported by syzbot [1], there is a memory leak while closing the\nsocket. We partially solved this issue with commit ac03046ece2b\n(\"vsock/virtio: free packets during the socket release\"), but we\nforgot to drain the RX queue when the socket is definitely closed by\nthe scheduled work.\r\n\r\nTo avoid future issues, let's use the new virtio_transport_remove_sock()\nto drain the RX queue before removing the socket from the af_vsock lists\ncalling vsock_remove_sock().\r\n\r\n[1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9(CVE-2021-47024)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nio_uring: fix overflows checks in provide buffers\r\n\r\nColin reported before possible overflow and sign extension problems in\nio_provide_buffers_prep(). As Linus pointed out previous attempt did nothing\nuseful, see d81269fecb8ce (\"io_uring: fix provide_buffers sign extension\").\r\n\r\nDo that with help of check_<op>_overflow helpers. And fix struct\nio_provide_buf::len type, as it doesn't make much sense to keep it\nsigned.(CVE-2021-47040)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nDrivers: hv: vmbus: Use after free in __vmbus_open()\r\n\r\nThe \"open_info\" variable is added to the &vmbus_connection.chn_msg_list,\nbut the error handling frees \"open_info\" without removing it from the\nlist.  This will result in a use after free.  First remove it from the\nlist, and then free it.(CVE-2021-47049)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nblock: add check that partition length needs to be aligned with block size\r\n\r\nBefore calling add partition or resize partition, there is no check\non whether the length is aligned with the logical block size.\nIf the logical block size of the disk is larger than 512 bytes,\nthen the partition size maybe not the multiple of the logical block size,\nand when the last sector is read, bio_truncate() will adjust the bio size,\nresulting in an IO error if the size of the read command is smaller than\nthe logical block size.If integrity data is supported, this will also\nresult in a null pointer dereference when calling bio_integrity_free.(CVE-2023-52458)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg\r\n\r\nsyzbot reported the following uninit-value access issue:\r\n\r\n=====================================================\nBUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\nBUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\nCPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x21c/0x280 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]\n smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482\n usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737\n usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032\n usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241\n usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272\n really_probe+0xf20/0x20b0 drivers/base/dd.c:529\n driver_probe_device+0x293/0x390 drivers/base/dd.c:701\n __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807\n bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431\n __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873\n device_initial_probe+0x4a/0x60 drivers/base/dd.c:920\n bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491\n device_add+0x3b0e/0x40d0 drivers/base/core.c:2680\n usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554\n hub_port_connect drivers/usb/core/hub.c:5208 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]\n port_event drivers/usb/core/hub.c:5494 [inline]\n hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576\n process_one_work+0x1688/0x2140 kernel/workqueue.c:2269\n worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415\n kthread+0x551/0x590 kernel/kthread.c:292\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293\r\n\r\nLocal variable ----buf.i87@smsc75xx_bind created at:\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\n __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]\n smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]\n smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482\r\n\r\nThis issue is caused because usbnet_read_cmd() reads less bytes than requested\n(zero byte in the reproducer). In this case, 'buf' is not properly filled.\r\n\r\nThis patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads\nless bytes than requested.(CVE-2023-52528)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\r\n\r\nSyzkaller reported the following issue:\r\n\r\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n </TASK>\nKernel Offset: disabled\nRebooting in 86400 seconds..\r\n\r\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\r\n\r\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\r\n\r\nThe patch is tested via syzbot.(CVE-2023-52604)",
+    "cves": [
+      {
+        "id": "CVE-2023-52604",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1672": {
+    "id": "openEuler-SA-2024-1672",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1672",
+    "title": "An update for containers-common is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo.\r\n\r\nSecurity Fix(es):\r\n\r\nUncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.(CVE-2022-1962)",
+    "cves": [
+      {
+        "id": "CVE-2022-1962",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1014": {
+    "id": "openEuler-SA-2021-1014",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1014",
+    "title": "An update for jackson-databind is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.(CVE-2020-35490)\\r\\n\\r\\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.(CVE-2020-35491)\\r\\n\\r\\n\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).(CVE-2020-35728)\\r\\n\\r\\n\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.(CVE-2020-36185)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-36185",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36185",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1090": {
+    "id": "openEuler-SA-2023-1090",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1090",
+    "title": "An update for python-cryptography is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.\r\n\r\nSecurity Fix(es):\r\n\r\ncryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.(CVE-2023-23931)",
+    "cves": [
+      {
+        "id": "CVE-2023-23931",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1239": {
+    "id": "openEuler-SA-2021-1239",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1239",
+    "title": "An update for glibc is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\r\n\r\nSecurity Fix(es):\r\n\r\nThe mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.(CVE-2021-33574)",
+    "cves": [
+      {
+        "id": "CVE-2021-33574",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33574",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1037": {
+    "id": "openEuler-SA-2021-1037",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1037",
+    "title": "An update for gssproxy is now available for openEuler-20.03-LTS",
+    "severity": "Critical",
+    "description": "This is a proxy for GSSAPI which deals with credential handling.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\n** DISPUTED ** gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c. NOTE: An upstream comment states \"We are already on a shutdown path when running the code in question, so a DoS there doesn't make any sense, and there has been no additional information provided us (as upstream) to indicate why this would be a problem.\"(CVE-2020-12658)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2020-12658",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12658",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1291": {
+    "id": "openEuler-SA-2024-1291",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1291",
+    "title": "An update for aops-zeus is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "A host and user manager service which is the foundation of aops.\r\n\r\nSecurity Fix(es):\r\n\r\nIn aops-zeus software versions 1.2.0~1.4.1, there is a vulnerability in the plugin management command of the zeus/conf/constant file. Through this vulnerability, an attacker can implant arbitrary commands to be executed on the remote host, which may cause the remote host system to crash, suffering serious consequences of security threats and losses.(CVE-2024-24899)",
+    "cves": [
+      {
+        "id": "CVE-2024-24899",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24899",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1794": {
+    "id": "openEuler-SA-2023-1794",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1794",
+    "title": "An update for squid is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.\r\n\r\nSecurity Fix(es):\r\n\r\n Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.(CVE-2023-46724)\r\n\r\nSquid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.(CVE-2023-46728)",
+    "cves": [
+      {
+        "id": "CVE-2023-46728",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46728",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1253": {
+    "id": "openEuler-SA-2021-1253",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1253",
+    "title": "An update for httpd is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\r\n\r\nApache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service(CVE-2021-26690)",
+    "cves": [
+      {
+        "id": "CVE-2021-26690",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26690",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1707": {
+    "id": "openEuler-SA-2023-1707",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1707",
+    "title": "An update for python-urllib3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Sanity-friendly HTTP client for Python\r\n\r\nSecurity Fix(es):\r\n\r\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)",
+    "cves": [
+      {
+        "id": "CVE-2023-43804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1548": {
+    "id": "openEuler-SA-2024-1548",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1548",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.\r\nSecurity Fix(es):\r\n\r\nA flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.(CVE-2023-6478)\r\n\r\nA flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.(CVE-2023-6816)\r\n\r\nA flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.(CVE-2024-0408)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31080)\r\n\r\nA heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31081)",
+    "cves": [
+      {
+        "id": "CVE-2024-31081",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31081",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2070": {
+    "id": "openEuler-SA-2022-2070",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2070",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nThe vulnerability is a use-after-free that happens when an io_uring request\nis being processed on a registered file and the Unix GC runs and frees the\nio_uring fd and all the registered fds. The order at which the Unix GC\nprocesses the inflight fds may lead to registered fds be freed before the\nio_uring is released and has the chance to unregister and wait for such\nrequests to finish.\r\n\r\nReference:\nhttps://www.openwall.com/lists/oss-security/2022/10/18/4\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0091bfc81741b8d3aeb3b7ab8636f911b2de6e80(CVE-2022-2602)",
+    "cves": [
+      {
+        "id": "CVE-2022-2602",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2602",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1979": {
+    "id": "openEuler-SA-2023-1979",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1979",
+    "title": "An update for openssh is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+    "cves": [
+      {
+        "id": "CVE-2023-51385",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1381": {
+    "id": "openEuler-SA-2023-1381",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1381",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2023-1073)\r\n\r\nA memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.(CVE-2023-1074)\r\n\r\nIn nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.(CVE-2023-1095)\r\n\r\nA use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.(CVE-2023-3141)\r\n\r\nAn out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.(CVE-2023-3268)\r\n\r\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.(CVE-2023-35829)",
+    "cves": [
+      {
+        "id": "CVE-2023-35829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35829",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1244": {
+    "id": "openEuler-SA-2024-1244",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1244",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix use-after-free in shinker's callback\r\n\r\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\r\n\r\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\r\n\r\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n  Read of size 8 at addr ffff356ed50e50f0 by task bash/478\r\n\r\n  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   zap_page_range_single+0x470/0x4b8\n   binder_alloc_free_page+0x608/0xadc\n   __list_lru_walk_one+0x130/0x3b0\n   list_lru_walk_node+0xc4/0x22c\n   binder_shrink_scan+0x108/0x1dc\n   shrinker_debugfs_scan_write+0x2b4/0x500\n   full_proxy_write+0xd4/0x140\n   vfs_write+0x1ac/0x758\n   ksys_write+0xf0/0x1dc\n   __arm64_sys_write+0x6c/0x9c\r\n\r\n  Allocated by task 492:\n   kmem_cache_alloc+0x130/0x368\n   vm_area_alloc+0x2c/0x190\n   mmap_region+0x258/0x18bc\n   do_mmap+0x694/0xa60\n   vm_mmap_pgoff+0x170/0x29c\n   ksys_mmap_pgoff+0x290/0x3a0\n   __arm64_sys_mmap+0xcc/0x144\r\n\r\n  Freed by task 491:\n   kmem_cache_free+0x17c/0x3c8\n   vm_area_free_rcu_cb+0x74/0x98\n   rcu_core+0xa38/0x26d4\n   rcu_core_si+0x10/0x1c\n   __do_softirq+0x2fc/0xd24\r\n\r\n  Last potentially related work creation:\n   __call_rcu_common.constprop.0+0x6c/0xba0\n   call_rcu+0x10/0x1c\n   vm_area_free+0x18/0x24\n   remove_vma+0xe4/0x118\n   do_vmi_align_munmap.isra.0+0x718/0xb5c\n   do_vmi_munmap+0xdc/0x1fc\n   __vm_munmap+0x10c/0x278\n   __arm64_sys_munmap+0x58/0x7c\r\n\r\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.(CVE-2023-52438)\r\n\r\nA race condition was found in the Linux kernel's sound/hda  device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n(CVE-2024-23196)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\r\n\r\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)",
+    "cves": [
+      {
+        "id": "CVE-2024-26595",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1308": {
+    "id": "openEuler-SA-2021-1308",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1308",
+    "title": "An update for util-linux is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Critical",
+    "description": "The util-linux package contains a random collection of files that implements some low-level basic linux utilities.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.(CVE-2021-37600)",
+    "cves": [
+      {
+        "id": "CVE-2021-37600",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37600",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1945": {
+    "id": "openEuler-SA-2022-1945",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1945",
+    "title": "An update for python-pip is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        21.3.1 Release:        1 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:          BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch6000:      dummy-certifi.patch\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.(CVE-2021-33503)\r\n\r\nLib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.(CVE-2020-14422)",
+    "cves": [
+      {
+        "id": "CVE-2020-14422",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1592": {
+    "id": "openEuler-SA-2022-1592",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1592",
+    "title": "An update for SDL2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "High",
+    "description": "Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device.\r\n\r\nSecurity Fix(es):\r\n\r\nThere is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution.(CVE-2021-33657)",
+    "cves": [
+      {
+        "id": "CVE-2021-33657",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33657",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1242": {
+    "id": "openEuler-SA-2024-1242",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1242",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n</TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nA race condition was found in the Linux kernel's sound/hda  device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n(CVE-2024-23196)",
+    "cves": [
+      {
+        "id": "CVE-2024-23196",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1802": {
+    "id": "openEuler-SA-2022-1802",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1802",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2022-1508)\r\n\r\nWhen sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.(CVE-2021-33655)",
+    "cves": [
+      {
+        "id": "CVE-2021-33655",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33655",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1469": {
+    "id": "openEuler-SA-2024-1469",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1469",
+    "title": "An update for libvirt is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support.\r\n\r\nSecurity Fix(es):\r\n\r\nAn off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2024-1441)\r\n\r\nA flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2024-2494)",
+    "cves": [
+      {
+        "id": "CVE-2024-2494",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2494",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1422": {
+    "id": "openEuler-SA-2024-1422",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1422",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\nSecurity Fix(es):\r\n\r\nQEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.(CVE-2024-24474)",
+    "cves": [
+      {
+        "id": "CVE-2024-24474",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24474",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1599": {
+    "id": "openEuler-SA-2024-1599",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1599",
+    "title": "An update for giflib is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "giflib is a library of gif images and provides utilities for processing images.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633)",
+    "cves": [
+      {
+        "id": "CVE-2021-40633",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40633",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1366": {
+    "id": "openEuler-SA-2024-1366",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1366",
+    "title": "An update for rubygem-activestorage is now available for openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Attach cloud and local files in Rails applications.\r\n\r\nSecurity Fix(es):\r\n\r\nRails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.(CVE-2024-26144)",
+    "cves": [
+      {
+        "id": "CVE-2024-26144",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26144",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1490": {
+    "id": "openEuler-SA-2023-1490",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1490",
+    "title": "An update for qt5-qtbase is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Qt is a software toolkit for developing applications.\r\n\r\nSecurity Fix(es):\r\n\r\nQt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.(CVE-2023-24607)",
+    "cves": [
+      {
+        "id": "CVE-2023-24607",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24607",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1847": {
+    "id": "openEuler-SA-2022-1847",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1847",
+    "title": "An update for gnupg2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP).  GnuPG enables encryption and signing of data and communication, and features a versatile key management system as well as access modules for public key directories.\r\n\r\nSecurity Fix(es):\r\n\r\nGnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.(CVE-2022-34903)",
+    "cves": [
+      {
+        "id": "CVE-2022-34903",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34903",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1980": {
+    "id": "openEuler-SA-2022-1980",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1980",
+    "title": "An update for vim is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.\r\n\r\nSecurity Fix(es):\r\n\r\nStack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.(CVE-2022-3296)\r\n\r\nUse After Free in GitHub repository vim/vim prior to 9.0.0614.(CVE-2022-3352)",
+    "cves": [
+      {
+        "id": "CVE-2022-3352",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3352",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1049": {
+    "id": "openEuler-SA-2021-1049",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1049",
+    "title": "An update for guava is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more! It is widely used on most Java projects within Google, and widely used by many other companies as well.\r\n\r\nSecurity Fix(es):\r\n\r\nA temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.(CVE-2020-8908)",
+    "cves": [
+      {
+        "id": "CVE-2020-8908",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1849": {
+    "id": "openEuler-SA-2022-1849",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1849",
+    "title": "An update for openjdk-11 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The OpenJDK runtime environment.\n\nSecurity Fix(es):\n\nThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.(CVE-2022-34169)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2022-21541)\n\nVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2022-21540)",
+    "cves": [
+      {
+        "id": "CVE-2022-21540",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21540",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2130": {
+    "id": "openEuler-SA-2022-2130",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2130",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn incorrect TLB flush issue was found in the Linux kernel?s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.(CVE-2022-4139)\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.(CVE-2022-45934)",
+    "cves": [
+      {
+        "id": "CVE-2022-45934",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45934",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1552": {
+    "id": "openEuler-SA-2024-1552",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1552",
+    "title": "An update for cockpit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse. It’s easy to start containers, administer storage, configure networks, and inspect logs with this package.\r\n\r\nSecurity Fix(es):\r\n\r\nAn SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states \"I don't think [it] is a big real-life issue.(CVE-2020-35850)",
+    "cves": [
+      {
+        "id": "CVE-2020-35850",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35850",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1113": {
+    "id": "openEuler-SA-2024-1113",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1113",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343)\r\n\r\nIn the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042)\r\n\r\nAn issue was discovered in ksmbd in the Linux kernel before 6.6.10. smb2_get_data_area_len in fs/smb/server/smb2misc.c can cause an smb_strndup_from_utf16 out-of-bounds access because the relationship between Name data and CreateContexts data is mishandled.(CVE-2024-22705)",
+    "cves": [
+      {
+        "id": "CVE-2024-22705",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22705",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1741": {
+    "id": "openEuler-SA-2023-1741",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1741",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.(CVE-2023-42755)",
+    "cves": [
+      {
+        "id": "CVE-2023-42755",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42755",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1131": {
+    "id": "openEuler-SA-2021-1131",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1131",
+    "title": "An update for wavpack is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. For version 5.0.0, several new file formats and lossless DSD audio compression were added, making WavPack a universal audio archiving solution.\r\n\r\nSecurity Fix(es):\r\n\r\nWavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later \"unofficial\" releases through 5.3.2, which are also affected.(CVE-2020-35738)",
+    "cves": [
+      {
+        "id": "CVE-2020-35738",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35738",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1571": {
+    "id": "openEuler-SA-2022-1571",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1571",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.(CVE-2021-0129)",
+    "cves": [
+      {
+        "id": "CVE-2021-0129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0129",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1837": {
+    "id": "openEuler-SA-2022-1837",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1837",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nn ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel.(CVE-2022-20141)",
+    "cves": [
+      {
+        "id": "CVE-2022-20141",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20141",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1949": {
+    "id": "openEuler-SA-2023-1949",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1949",
+    "title": "An update for liblouis is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "The Liblouis software suite provides an open-source braille translator, back-translator and formatter for a large number of languages and braille codes. It is a set of libraries designed for use in any of a number of applications, both free and commercial. It is written in C so that it does not require a runtime environment and hence can be used in applications written in high-level languages such as Java and Python.\r\n\r\nSecurity Fix(es):\r\n\r\nLiblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).(CVE-2022-26981)",
+    "cves": [
+      {
+        "id": "CVE-2022-26981",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26981",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1371": {
+    "id": "openEuler-SA-2023-1371",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1371",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources.  It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream.\n\nSecurity Fix(es):\n\nDue to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark(CVE-2023-0667)",
+    "cves": [
+      {
+        "id": "CVE-2023-0667",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0667",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1117": {
+    "id": "openEuler-SA-2023-1117",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1117",
+    "title": "An update for apr is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features.\r\n\r\nSecurity Fix(es):\r\n\r\nInteger Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.(CVE-2022-24963)",
+    "cves": [
+      {
+        "id": "CVE-2022-24963",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2137": {
+    "id": "openEuler-SA-2022-2137",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2137",
+    "title": "An update for php is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.(CVE-2022-37454)",
+    "cves": [
+      {
+        "id": "CVE-2022-37454",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1128": {
+    "id": "openEuler-SA-2023-1128",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1128",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0801)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0797)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0796)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0799)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0804)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0802)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0795)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0803)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0800)\r\n\r\nLibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0798)",
+    "cves": [
+      {
+        "id": "CVE-2023-0798",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0798",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1193": {
+    "id": "openEuler-SA-2024-1193",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1193",
+    "title": "An update for mod_auth_openidc is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).\r\n\r\nSecurity Fix(es):\r\n\r\nmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24814)",
+    "cves": [
+      {
+        "id": "CVE-2024-24814",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24814",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1357": {
+    "id": "openEuler-SA-2021-1357",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1357",
+    "title": "An update for cups is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol (IPP) to support printing to local and network printers..\r\n\r\nSecurity Fix(es):\r\n\r\nAn input validation issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to read restricted memory.(CVE-2020-10001)",
+    "cves": [
+      {
+        "id": "CVE-2020-10001",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10001",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1753": {
+    "id": "openEuler-SA-2022-1753",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1753",
+    "title": "An update for libsepol is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "libsepol provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need to perform specific transformations on binary policies such as customizing policy boolean settings.\r\n\r\nSecurity Fix(es):\r\n\r\nThe CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).(CVE-2021-36086)",
+    "cves": [
+      {
+        "id": "CVE-2021-36086",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36086",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1019": {
+    "id": "openEuler-SA-2024-1019",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1019",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-50230: bluez: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability(CVE-2023-50230)",
+    "cves": [
+      {
+        "id": "CVE-2023-50230",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50230",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1660": {
+    "id": "openEuler-SA-2023-1660",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1660",
+    "title": "An update for mutt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Mutt is a small but very powerful text-based mail client for Unix operating systems.\r\n\r\nSecurity Fix(es):\r\n\r\nNull pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12(CVE-2023-4874)\r\n\r\nNull pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12(CVE-2023-4875)",
+    "cves": [
+      {
+        "id": "CVE-2023-4875",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4875",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1505": {
+    "id": "openEuler-SA-2023-1505",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1505",
+    "title": "An update for bind is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nEvery `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.\r\n\r\nIt has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded.\nThis issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.(CVE-2023-2828)",
+    "cves": [
+      {
+        "id": "CVE-2023-2828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2828",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1640": {
+    "id": "openEuler-SA-2024-1640",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1640",
+    "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Low",
+    "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in \"Everlasting ROBOT: the Marvin Attack\" by Hubert Kario.(CVE-2024-26306)",
+    "cves": [
+      {
+        "id": "CVE-2024-26306",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26306",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1655": {
+    "id": "openEuler-SA-2022-1655",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1655",
+    "title": "An update for freetype is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "FreeType is written in C, designed to be small,efficient, highly customizable, and portable while capable of producing high-quality output (glyph images) of most vector and bitmap font formats\n\nSecurity Fix(es):\n\nFreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.(CVE-2022-27404)\n\nFreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.(CVE-2022-27405)\n\nFreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.(CVE-2022-27406)",
+    "cves": [
+      {
+        "id": "CVE-2022-27406",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27406",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1897": {
+    "id": "openEuler-SA-2022-1897",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1897",
+    "title": "An update for rpm is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The RPM Package Manager (RPM) is a powerful package management system capability as below\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-35937)\r\n\r\nIt was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-35939)\r\n\r\nA symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-35938)",
+    "cves": [
+      {
+        "id": "CVE-2021-35938",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1728": {
+    "id": "openEuler-SA-2024-1728",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1728",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP4",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nMONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file(CVE-2024-4854)",
+    "cves": [
+      {
+        "id": "CVE-2024-4854",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4854",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1008": {
+    "id": "openEuler-SA-2021-1008",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1008",
+    "title": "An update for freerdp is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.\\r\\n\\r\\n\r\nSecurity Fix(es):\\r\\n\\r\\n\r\nlibfreerdp/core/update.c in FreeRDP versions > 1.1 through 2.0.0-rc4 has an Out-of-bounds Read.(CVE-2020-11526)\\r\\n\\r\\n\r\nIn FreeRDP greater than 1.2 and before 2.0.0, a double free in update_read_cache_bitmap_v3_order crashes the client application if corrupted data from a manipulated server is parsed. This has been patched in 2.0.0.(CVE-2020-11044)\\r\\n\\r\\n\r\nIn FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bounds read in update_read_icon_info. It allows reading a attacker-defined amount of client memory (32bit unsigned -> 4GB) to an intermediate buffer. This can be used to crash the client or store information for later retrieval. This has been patched in 2.0.0.(CVE-2020-11042)\\r\\n\\r\\n\r\nIn FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.(CVE-2020-11095)\\r\\n\\r\\n\r\nIn FreeRDP after 1.0 and before 2.0.0, there is an out-of-bound read in in update_read_bitmap_data that allows client memory to be read to an image buffer. The result displayed on screen as colour.(CVE-2020-11045)\\r\\n\\r\\n\nlibfreerdp/gdi/gdi.c in FreeRDP > 1.0 through 2.0.0-rc4 has an Out-of-bounds Read.(CVE-2020-11522)\\r\\n\\r\\n\nlibfreerdp/codec/interleaved.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write.(CVE-2020-11524)\\r\\n\\r\\n\nlibfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write.(CVE-2020-11521)\\r\\n\\r\\n\nlibfreerdp/cache/bitmap.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Out of bounds read.(CVE-2020-11525)\\r\\n\\r\\n\nlibfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write.(CVE-2020-11521)\\r\\n\\r\\n\nlibfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0.0-rc4 has memory leaks because a supplied realloc pointer (i.e., the first argument to realloc) is also used for a realloc return value.(CVE-2019-17177)\\r\\n\\r\\n",
+    "cves": [
+      {
+        "id": "CVE-2019-17177",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17177",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1256": {
+    "id": "openEuler-SA-2021-1256",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1256",
+    "title": "An update for pdfbox is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Apache PDFBox is an open source Java PDF library for working with PDF documents. This project allows creation of new PDF documents, manipulation of existing documents and the ability to extract content from documents. Apache PDFBox also includes several command line utilities. Apache PDFBox is published under the Apache License v2.0.\r\n\r\nSecurity Fix(es):\r\n\r\nIn Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.(CVE-2021-31811)\n\nIn Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.(CVE-2021-31812)",
+    "cves": [
+      {
+        "id": "CVE-2021-31812",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31812",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2067": {
+    "id": "openEuler-SA-2022-2067",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2067",
+    "title": "An update for libtiff is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This  provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nNull source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.(CVE-2022-0562)\r\n\r\nNull source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712.(CVE-2022-0561)\r\n\r\nLibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.(CVE-2022-22844)\r\n\r\nA heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact(CVE-2022-0891)",
+    "cves": [
+      {
+        "id": "CVE-2022-0891",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0891",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1861": {
+    "id": "openEuler-SA-2022-1861",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1861",
+    "title": "An update for python-bleach is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Bleach is an HTML sanitizing library that escapes or strips markup and attributes based on a white list.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2021-23980)",
+    "cves": [
+      {
+        "id": "CVE-2021-23980",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23980",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1459": {
+    "id": "openEuler-SA-2023-1459",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1459",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Low",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\r\n\r\nSecurity Fix(es):\r\n\r\nMultiple potential integer overflow in tiffcp.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.(CVE-2023-38289)",
+    "cves": [
+      {
+        "id": "CVE-2023-38289",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38289",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1355": {
+    "id": "openEuler-SA-2021-1355",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1355",
+    "title": "An update for usbredir is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "Low",
+    "description": "usbredir is the name of a network protocol for sending USB device traffic over a network connection. It is also the name of the software package offering a parsing library, a usbredirhost library and several utilities implementing this protocol. It also including a USB host TCP server, using libusbredirhost.\r\n\r\nSecurity Fix(es):\r\n\r\nNo description is available for this CVE.(CVE-2021-3700)",
+    "cves": [
+      {
+        "id": "CVE-2021-3700",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3700",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1449": {
+    "id": "openEuler-SA-2024-1449",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1449",
+    "title": "An update for LibRaw is now available for openEuler-20.03-LTS-SP4",
+    "severity": "High",
+    "description": "LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, RAF, etc, virtually all RAW formats are supported).It pays special attention to correct retrieval of data required for subsequent RAW conversion.The library is intended for embedding in RAW converters, data analyzers, and other programs using RAW files as the initial data.\r\n\r\nSecurity Fix(es):\r\n\r\nBuffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attacker to escalate privileges via the LibRaw_buffer_datastream::gets(char*, int) in /src/libraw/src/libraw_datastream.cpp.(CVE-2021-32142)",
+    "cves": [
+      {
+        "id": "CVE-2021-32142",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32142",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1994": {
+    "id": "openEuler-SA-2023-1994",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1994",
+    "title": "An update for tar is now available for openEuler-20.03-LTS-SP3",
+    "severity": "Low",
+    "description": "GNU Tar provides the ability to create tar archives, as well as various other kinds of manipulation. For example, you can use Tar on previously created archives to extract files, to store additional files, or to update or list files which were already stored.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service.(CVE-2023-39804)",
+    "cves": [
+      {
+        "id": "CVE-2023-39804",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1874": {
+    "id": "openEuler-SA-2022-1874",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1874",
+    "title": "An update for gdk-pixbuf2 is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "gdk is written in C but has been designed from the ground up to support a wide range of languages. It provide a complete set of widgets,and suitable for projects ranging from small one-off tools to complete application suites.\r\n\r\nSecurity Fix(es):\r\n\r\nGNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.(CVE-2021-46829)",
+    "cves": [
+      {
+        "id": "CVE-2021-46829",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46829",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1827": {
+    "id": "openEuler-SA-2022-1827",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1827",
+    "title": "An update for mod_wsgi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The mod_wsgi adapter is an Apache module that provides a WSGI compliant interface for hosting Python based web applications within Apache. The adapter is written completely in C code against the Apache C runtime andfor hosting WSGI applications within Apache has a lower overhead than using existing WSGI adapters for mod_python or CGI.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.\r\n\r\nReferences:\nhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941\nhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082(CVE-2022-2255)",
+    "cves": [
+      {
+        "id": "CVE-2022-2255",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1766": {
+    "id": "openEuler-SA-2024-1766",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1766",
+    "title": "An update for kernel is now available for openEuler-24.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer\r\n\r\nThe TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the\nmaximum transfer length and the size of the transfer buffer. As such, it\ndoes not account for the 4 bytes of header that prepends the SPI data\nframe. This can result in out-of-bounds accesses and was confirmed with\nKASAN.\r\n\r\nIntroduce SPI_HDRSIZE to account for the header and use to allocate the\ntransfer buffer.(CVE-2024-36477)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: fix out-of-bounds access in ops_init\r\n\r\nnet_alloc_generic is called by net_alloc, which is called without any\nlocking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It\nis read twice, first to allocate an array, then to set s.len, which is\nlater used to limit the bounds of the array access.\r\n\r\nIt is possible that the array is allocated and another thread is\nregistering a new pernet ops, increments max_gen_ptrs, which is then used\nto set s.len with a larger than allocated length for the variable array.\r\n\r\nFix it by reading max_gen_ptrs only once in net_alloc_generic. If\nmax_gen_ptrs is later incremented, it will be caught in net_assign_generic.(CVE-2024-36883)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpiolib: cdev: fix uninitialised kfifo\r\n\r\nIf a line is requested with debounce, and that results in debouncing\nin software, and the line is subsequently reconfigured to enable edge\ndetection then the allocation of the kfifo to contain edge events is\noverlooked.  This results in events being written to and read from an\nuninitialised kfifo.  Read events are returned to userspace.\r\n\r\nInitialise the kfifo in the case where the software debounce is\nalready active.(CVE-2024-36898)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()\r\n\r\nsyzbot is able to trigger the following crash [1],\ncaused by unsafe ip6_dst_idev() use.\r\n\r\nIndeed ip6_dst_idev() can return NULL, and must always be checked.\r\n\r\n[1]\r\n\r\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]\n RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267\nCode: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c\nRSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700\nRDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760\nRBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd\nR10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000\nR13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00\nFS:  00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n  fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317\n  fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108\n  ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]\n  ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649\n  ip6_route_output include/net/ip6_route.h:93 [inline]\n  ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120\n  ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250\n  sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326\n  sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455\n  sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662\n  sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099\n  __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197\n  sctp_connect net/sctp/socket.c:4819 [inline]\n  sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834\n  __sys_connect_file net/socket.c:2048 [inline]\n  __sys_connect+0x2df/0x310 net/socket.c:2065\n  __do_sys_connect net/socket.c:2075 [inline]\n  __se_sys_connect net/socket.c:2072 [inline]\n  __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-36902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: Fix potential uninit-value access in __ip6_make_skb()\r\n\r\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.(CVE-2024-36903)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\r\n\r\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\r\n\r\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\r\n\r\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\r\n\r\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\r\n\r\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\r\n\r\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\r\n\r\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\r\n\r\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001(CVE-2024-36905)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload\r\n\r\nThe session resources are used by FW and driver when session is offloaded,\nonce session is uploaded these resources are not used. The lock is not\nrequired as these fields won't be used any longer. The offload and upload\ncalls are sequential, hence lock is not required.\r\n\r\nThis will suppress following BUG_ON():\r\n\r\n[  449.843143] ------------[ cut here ]------------\n[  449.848302] kernel BUG at mm/vmalloc.c:2727!\n[  449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[  449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1\nRebooting.\n[  449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016\n[  449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]\n[  449.882910] RIP: 0010:vunmap+0x2e/0x30\n[  449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41\n[  449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206\n[  449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005\n[  449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000\n[  449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf\n[  449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000\n[  449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0\n[  449.953701] FS:  0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000\n[  449.962732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0\n[  449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  449.993028] Call Trace:\n[  449.995756]  __iommu_dma_free+0x96/0x100\n[  450.000139]  bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]\n[  450.006171]  bnx2fc_upload_session+0xce/0x100 [bnx2fc]\n[  450.011910]  bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]\n[  450.018136]  fc_rport_work+0x103/0x5b0 [libfc]\n[  450.023103]  process_one_work+0x1e8/0x3c0\n[  450.027581]  worker_thread+0x50/0x3b0\n[  450.031669]  ? rescuer_thread+0x370/0x370\n[  450.036143]  kthread+0x149/0x170\n[  450.039744]  ? set_kthread_struct+0x40/0x40\n[  450.044411]  ret_from_fork+0x22/0x30\n[  450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls\n[  450.048497]  libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler\n[  450.159753] ---[ end trace 712de2c57c64abc8 ]---(CVE-2024-36919)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ns390/qeth: Fix kernel panic after setting hsuid\r\n\r\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\r\n\r\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754]            00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756]            000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758]            00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000                illegal\n                         >0000000000000002: 0000                illegal\n                          0000000000000004: 0000                illegal\n                          0000000000000006: 0000                illegal\n                          0000000000000008: 0000                illegal\n                          000000000000000a: 0000                illegal\n                          000000000000000c: 0000                illegal\n                          000000000000000e: 0000                illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([<00000000ec639700>] 0xec639700)\n[ 2057.572803]  [<00000000913183e2>] net_rx_action+0x2ba/0x398\n[ 2057.572809]  [<0000000091515f76>] __do_softirq+0x11e/0x3a0\n[ 2057.572813]  [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)\n[ 2057.572822]  [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825]  [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827]  [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830]  [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833]  [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835]  [<00000000912e7e90>] __sys_connect+0xa0/0xd8\n[ 2057.572839]  [<00000000912e9580>] sys_socketcall+0x228/0x348\n[ 2057.572841]  [<0000000091514e1a>] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844]  [<0000000091317e44>] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\r\n\r\nAnalysis:\nThere is one napi structure per out_q: card->qdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\r\n\r\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don't call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard->qdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\r\n\r\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 > /sys/bus/ccw\n---truncated---(CVE-2024-36928)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()\r\n\r\nl2cap_le_flowctl_init() can cause both div-by-zero and an integer\noverflow since hdev->le_mtu may not fall in the valid range.\r\n\r\nMove MTU from hci_dev to hci_conn to validate MTU and stop the connection\nprocess earlier if MTU is invalid.\nAlso, add a missing validation in read_buffer_size() and make it return\nan error value if the validation fails.\nNow hci_conn_add() returns ERR_PTR() as it can fail due to the both a\nkzalloc failure and invalid MTU value.\r\n\r\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G        W          6.9.0-rc5+ #20\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci0 hci_rx_work\nRIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547\nCode: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c\n89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d\nb7 88 00 00 00 4c 89 f0 48 c1 e8 03 42\nRSP: 0018:ffff88810bc0f858 EFLAGS: 00010246\nRAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f\nRBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa\nR10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084\nR13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000\nFS:  0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline]\n l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline]\n l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline]\n l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809\n l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506\n hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline]\n hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335\n worker_thread+0x926/0xe70 kernel/workqueue.c:3416\n kthread+0x2e3/0x380 kernel/kthread.c:388\n ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---(CVE-2024-36968)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP\r\n\r\nIf one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,\ntaprio_parse_mqprio_opt() must validate it, or userspace\ncan inject arbitrary data to the kernel, the second time\ntaprio_change() is called.\r\n\r\nFirst call (with valid attributes) sets dev->num_tc\nto a non zero value.\r\n\r\nSecond call (with arbitrary mqprio attributes)\nreturns early from taprio_parse_mqprio_opt()\nand bad things can happen.(CVE-2024-36974)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKEYS: trusted: Do not use WARN when encode fails\r\n\r\nWhen asn1_encode_sequence() fails, WARN is not the correct solution.\r\n\r\n1. asn1_encode_sequence() is not an internal function (located\n   in lib/asn1_encode.c).\n2. Location is known, which makes the stack trace useless.\n3. Results a crash if panic_on_warn is set.\r\n\r\nIt is also noteworthy that the use of WARN is undocumented, and it\nshould be avoided unless there is a carefully considered rationale to\nuse it.\r\n\r\nReplace WARN with pr_err, and print the return value instead, which is\nonly useful piece of information.(CVE-2024-36975)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: dwc3: Wait unconditionally after issuing EndXfer command\r\n\r\nCurrently all controller IP/revisions except DWC3_usb3 >= 310a\nwait 1ms unconditionally for ENDXFER completion when IOC is not\nset. This is because DWC_usb3 controller revisions >= 3.10a\nsupports GUCTL2[14: Rst_actbitlater] bit which allows polling\nCMDACT bit to know whether ENDXFER command is completed.\r\n\r\nConsider a case where an IN request was queued, and parallelly\nsoft_disconnect was called (due to ffs_epfile_release). This\neventually calls stop_active_transfer with IOC cleared, hence\nsend_gadget_ep_cmd() skips waiting for CMDACT cleared during\nEndXfer. For DWC3 controllers with revisions >= 310a, we don't\nforcefully wait for 1ms either, and we proceed by unmapping the\nrequests. If ENDXFER didn't complete by this time, it leads to\nSMMU faults since the controller would still be accessing those\nrequests.\r\n\r\nFix this by ensuring ENDXFER completion by adding 1ms delay in\n__dwc3_stop_active_transfer() unconditionally.(CVE-2024-36977)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: sched: sch_multiq: fix possible OOB write in multiq_tune()\r\n\r\nq->bands will be assigned to qopt->bands to execute subsequent code logic\nafter kmalloc. So the old q->bands should not be used in kmalloc.\nOtherwise, an out-of-bounds write will occur.(CVE-2024-36978)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: bridge: xmit: make sure we have at least eth header len bytes\r\n\r\nsyzbot triggered an uninit value[1] error in bridge device's xmit path\nby sending a short (less than ETH_HLEN bytes) skb. To fix it check if\nwe can actually pull that amount instead of assuming.\r\n\r\nTested with dropwatch:\n drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)\n origin: software\n timestamp: Mon May 13 11:31:53 2024 778214037 nsec\n protocol: 0x88a8\n length: 2\n original length: 2\n drop reason: PKT_TOO_SMALL\r\n\r\n[1]\nBUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n __bpf_tx_skb net/core/filter.c:2136 [inline]\n __bpf_redirect_common net/core/filter.c:2180 [inline]\n __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187\n ____bpf_clone_redirect net/core/filter.c:2460 [inline]\n bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432\n ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997\n __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238\n bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]\n __bpf_prog_run include/linux/filter.h:657 [inline]\n bpf_prog_run include/linux/filter.h:664 [inline]\n bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425\n bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058\n bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678\n __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]\n __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765\n x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f(CVE-2024-38538)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nof: module: add buffer overflow check in of_modalias()\r\n\r\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer's end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char).(CVE-2024-38541)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/mediatek: Add 0 size check to mtk_drm_gem_obj\r\n\r\nAdd a check to mtk_drm_gem_init if we attempt to allocate a GEM object\nof 0 bytes. Currently, no such check exists and the kernel will panic if\na userspace application attempts to allocate a 0x0 GBM buffer.\r\n\r\nTested by attempting to allocate a 0x0 GBM buffer on an MT8188 and\nverifying that we now return EINVAL.(CVE-2024-38549)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nspeakup: Fix sizeof() vs ARRAY_SIZE() bug\r\n\r\nThe \"buf\" pointer is an array of u16 values.  This code should be\nusing ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),\notherwise it can the still got out of bounds.(CVE-2024-38587)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\r\n\r\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\r\n\r\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\r\n\r\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\r\n\r\n\tvalue changed: 0x01 -> 0x03\r\n\r\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\r\n\r\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in(CVE-2024-38596)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nring-buffer: Fix a race between readers and resize checks\r\n\r\nThe reader code in rb_get_reader_page() swaps a new reader page into the\nring buffer by doing cmpxchg on old->list.prev->next to point it to the\nnew page. Following that, if the operation is successful,\nold->list.next->prev gets updated too. This means the underlying\ndoubly-linked list is temporarily inconsistent, page->prev->next or\npage->next->prev might not be equal back to page for some page in the\nring buffer.\r\n\r\nThe resize operation in ring_buffer_resize() can be invoked in parallel.\nIt calls rb_check_pages() which can detect the described inconsistency\nand stop further tracing:\r\n\r\n[  190.271762] ------------[ cut here ]------------\n[  190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0\n[  190.271789] Modules linked in: [...]\n[  190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1\n[  190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G            E      6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f\n[  190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014\n[  190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0\n[  190.272023] Code: [...]\n[  190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206\n[  190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80\n[  190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700\n[  190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000\n[  190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720\n[  190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000\n[  190.272053] FS:  00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000\n[  190.272057] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0\n[  190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  190.272077] Call Trace:\n[  190.272098]  <TASK>\n[  190.272189]  ring_buffer_resize+0x2ab/0x460\n[  190.272199]  __tracing_resize_ring_buffer.part.0+0x23/0xa0\n[  190.272206]  tracing_resize_ring_buffer+0x65/0x90\n[  190.272216]  tracing_entries_write+0x74/0xc0\n[  190.272225]  vfs_write+0xf5/0x420\n[  190.272248]  ksys_write+0x67/0xe0\n[  190.272256]  do_syscall_64+0x82/0x170\n[  190.272363]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  190.272373] RIP: 0033:0x7f1bd657d263\n[  190.272381] Code: [...]\n[  190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263\n[  190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001\n[  190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000\n[  190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500\n[  190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002\n[  190.272412]  </TASK>\n[  190.272414] ---[ end trace 0000000000000000 ]---\r\n\r\nNote that ring_buffer_resize() calls rb_check_pages() only if the parent\ntrace_buffer has recording disabled. Recent commit d78ab792705c\n(\"tracing: Stop current tracer when resizing buffer\") causes that it is\nnow always the case which makes it more likely to experience this issue.\r\n\r\nThe window to hit this race is nonetheless very small. To help\nreproducing it, one can add a delay loop in rb_get_reader_page():\r\n\r\n ret = rb_head_page_replace(reader, cpu_buffer->reader_page);\n if (!ret)\n \tgoto spin;\n for (unsigned i = 0; i < 1U << 26; i++)  /* inserted delay loop */\n \t__asm__ __volatile__ (\"\" : : : \"memory\");\n rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list;\r\n\r\n.. \n---truncated---(CVE-2024-38601)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: core: Fix NULL module pointer assignment at card init\r\n\r\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'.  This works in most cases, but the devils are always in\ndetails.  \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not.  Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL.  This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\r\n\r\nFor addressing the bug, move the assignment of card->module again out\nof ifdef.  The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\r\n\r\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check.  Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y.  But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.(CVE-2024-38605)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: multidev: fix to recognize valid zero block address\r\n\r\nAs reported by Yi Zhang in mailing list [1], kernel warning was catched\nduring zbd/010 test as below:\r\n\r\n./check zbd/010\nzbd/010 (test gap zone support with F2FS)                    [failed]\n    runtime    ...  3.752s\n    something found in dmesg:\n    [ 4378.146781] run blktests zbd/010 at 2024-02-18 11:31:13\n    [ 4378.192349] null_blk: module loaded\n    [ 4378.209860] null_blk: disk nullb0 created\n    [ 4378.413285] scsi_debug:sdebug_driver_probe: scsi_debug: trim\npoll_queues to 0. poll_q/nr_hw = (0/1)\n    [ 4378.422334] scsi host15: scsi_debug: version 0191 [20210520]\n                     dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0\n    [ 4378.434922] scsi 15:0:0:0: Direct-Access-ZBC Linux\nscsi_debug       0191 PQ: 0 ANSI: 7\n    [ 4378.443343] scsi 15:0:0:0: Power-on or device reset occurred\n    [ 4378.449371] sd 15:0:0:0: Attached scsi generic sg5 type 20\n    [ 4378.449418] sd 15:0:0:0: [sdf] Host-managed zoned block device\n    ...\n    (See '/mnt/tests/gitlab.com/api/v4/projects/19168116/repository/archive.zip/storage/blktests/blk/blktests/results/nodev/zbd/010.dmesg'\r\n\r\nWARNING: CPU: 22 PID: 44011 at fs/iomap/iter.c:51\nCPU: 22 PID: 44011 Comm: fio Not tainted 6.8.0-rc3+ #1\nRIP: 0010:iomap_iter+0x32b/0x350\nCall Trace:\n <TASK>\n __iomap_dio_rw+0x1df/0x830\n f2fs_file_read_iter+0x156/0x3d0 [f2fs]\n aio_read+0x138/0x210\n io_submit_one+0x188/0x8c0\n __x64_sys_io_submit+0x8c/0x1a0\n do_syscall_64+0x86/0x170\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\r\n\r\nShinichiro Kawasaki helps to analyse this issue and proposes a potential\nfixing patch in [2].\r\n\r\nQuoted from reply of Shinichiro Kawasaki:\r\n\r\n\"I confirmed that the trigger commit is dbf8e63f48af as Yi reported. I took a\nlook in the commit, but it looks fine to me. So I thought the cause is not\nin the commit diff.\r\n\r\nI found the WARN is printed when the f2fs is set up with multiple devices,\nand read requests are mapped to the very first block of the second device in the\ndirect read path. In this case, f2fs_map_blocks() and f2fs_map_blocks_cached()\nmodify map->m_pblk as the physical block address from each block device. It\nbecomes zero when it is mapped to the first block of the device. However,\nf2fs_iomap_begin() assumes that map->m_pblk is the physical block address of the\nwhole f2fs, across the all block devices. It compares map->m_pblk against\nNULL_ADDR == 0, then go into the unexpected branch and sets the invalid\niomap->length. The WARN catches the invalid iomap->length.\r\n\r\nThis WARN is printed even for non-zoned block devices, by following steps.\r\n\r\n - Create two (non-zoned) null_blk devices memory backed with 128MB size each:\n   nullb0 and nullb1.\n # mkfs.f2fs /dev/nullb0 -c /dev/nullb1\n # mount -t f2fs /dev/nullb0 \"${mount_dir}\"\n # dd if=/dev/zero of=\"${mount_dir}/test.dat\" bs=1M count=192\n # dd if=\"${mount_dir}/test.dat\" of=/dev/null bs=1M count=192 iflag=direct\r\n\r\n...\"\r\n\r\nSo, the root cause of this issue is: when multi-devices feature is on,\nf2fs_map_blocks() may return zero blkaddr in non-primary device, which is\na verified valid block address, however, f2fs_iomap_begin() treats it as\nan invalid block address, and then it triggers the warning in iomap\nframework code.\r\n\r\nFinally, as discussed, we decide to use a more simple and direct way that\nchecking (map.m_flags & F2FS_MAP_MAPPED) condition instead of\n(map.m_pblk != NULL_ADDR) to fix this issue.\r\n\r\nThanks a lot for the effort of Yi Zhang and Shinichiro Kawasaki on this\nissue.\r\n\r\n[1] https://lore.kernel.org/linux-f2fs-devel/CAHj4cs-kfojYC9i0G73PRkYzcxCTex=-vugRFeP40g_URGvnfQ@mail.gmail.com/\n[2] https://lore.kernel.org/linux-f2fs-devel/gngdj77k4picagsfdtiaa7gpgnup6fsgwzsltx6milmhegmjff@iax2n4wvrqye/(CVE-2024-38636)",
+    "cves": [
+      {
+        "id": "CVE-2024-38636",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38636",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1781": {
+    "id": "openEuler-SA-2023-1781",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1781",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "Critical",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cm4040_open() and reader_detach().(CVE-2022-44033)\r\n\r\nAn issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.(CVE-2022-45919)\r\n\r\nVUL-0: CVE-2023-2593: kernel: Linux Kernel ksmbd Memory Exhaustion Denial-of-Service Vulnerability(CVE-2023-2593)\r\n\r\nThere is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.(CVE-2023-2898)\r\n\r\nAn issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.(CVE-2023-31083)\r\n\r\nAn issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.(CVE-2023-31085)\r\n\r\nVUL-0: CVE-2023-32246: kernel: Linux Kernel ksmbd RCU Callback Race Condition Local Privilege Escalation Vulnerability(CVE-2023-32246)\r\n\r\nA flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.(CVE-2023-32254)\r\n\r\nClosing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable.\nA (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device.(CVE-2023-34324)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39189)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.(CVE-2023-39192)\r\n\r\nA flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.(CVE-2023-39193)\r\n\r\nA flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194)\r\n\r\nA NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.(CVE-2023-42754)\r\n\r\nAn issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.(CVE-2023-45862)\r\n\r\nAn issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write.(CVE-2023-45863)\r\n\r\nAn issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.(CVE-2023-45871)\r\n\r\nA heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\r\n\r\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\r\n\r\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\r\n\r\n(CVE-2023-5717)",
+    "cves": [
+      {
+        "id": "CVE-2023-5717",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5717",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1067": {
+    "id": "openEuler-SA-2023-1067",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1067",
+    "title": "An update for bind is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.\r\n\r\nSecurity Fix(es):\r\n\r\nSending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.(CVE-2022-3094)\r\n\r\nBIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.(CVE-2022-3736)\r\n\r\nThis issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.(CVE-2022-3924)",
+    "cves": [
+      {
+        "id": "CVE-2022-3924",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3924",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1264": {
+    "id": "openEuler-SA-2021-1264",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1264",
+    "title": "An update for python3 is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\r\n\r\nThere s a flaw in Python 3 s pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.(CVE-2021-3426)",
+    "cves": [
+      {
+        "id": "CVE-2021-3426",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1347": {
+    "id": "openEuler-SA-2023-1347",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1347",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151)",
+    "cves": [
+      {
+        "id": "CVE-2023-34151",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1043": {
+    "id": "openEuler-SA-2021-1043",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1043",
+    "title": "An update for flatpak is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information.\r\n\r\nSecurity Fix(es):\r\n\r\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.9.4. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.9.4.(CVE-2021-21261)",
+    "cves": [
+      {
+        "id": "CVE-2021-21261",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21261",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1394": {
+    "id": "openEuler-SA-2023-1394",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1394",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nAn out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. Quoting ZDI security advisory [1]:\n\n\"This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the processing of seg6 attributes. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.\"\n\n[1] https://www.zerodayinitiative.com/advisories/ZDI-CAN-18511/(CVE-2023-2860)\n\nA known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.(CVE-2023-3006)\n\nAn issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.(CVE-2023-31084)\n\nA flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.(CVE-2023-3161)\n\nA NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.(CVE-2023-3212)\n\n** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated \"When modifying the block device while it is mounted by the filesystem\" access.(CVE-2023-34256)\n\nAn issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.(CVE-2023-35788)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.(CVE-2023-35823)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.(CVE-2023-35824)\n\nAn issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.(CVE-2023-35828)",
+    "cves": [
+      {
+        "id": "CVE-2023-35828",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35828",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1075": {
+    "id": "openEuler-SA-2021-1075",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1075",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nWhen serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.(CVE-2021-24122)",
+    "cves": [
+      {
+        "id": "CVE-2021-24122",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24122",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2041": {
+    "id": "openEuler-SA-2022-2041",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2041",
+    "title": "An update for curl is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "CURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\ncurl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.(CVE-2022-42915)\r\n\r\nA vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request.(CVE-2022-32221)\r\n\r\nIn curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.(CVE-2022-42916)",
+    "cves": [
+      {
+        "id": "CVE-2022-42916",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42916",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1476": {
+    "id": "openEuler-SA-2024-1476",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1476",
+    "title": "An update for apache-mime4j is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Java stream based MIME message parser.\r\n\r\nSecurity Fix(es):\r\n\r\nImproper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message.\nThis can be exploited by an attacker to add unintended headers to MIME messages.\n(CVE-2024-21742)",
+    "cves": [
+      {
+        "id": "CVE-2024-21742",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21742",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1674": {
+    "id": "openEuler-SA-2023-1674",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1674",
+    "title": "An update for firefox is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance.  Its functionality can be enhanced via a plethora of extensions.\r\n\r\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\r\n\r\nSecurity Fix(es):\r\n\r\nMozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 80, Firefox ESR < 78.2, Thunderbird < 78.2, and Firefox for Android < 80.(CVE-2020-15670)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.(CVE-2020-15673)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 80. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81.(CVE-2020-15674)\r\n\r\nWhen processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81.(CVE-2020-15675)\r\n\r\nIf a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.(CVE-2020-15680)\r\n\r\nWhen multiple WASM threads had a reference to a module, and were looking up exported functions, one WASM thread could have overwritten another's entry in a shared stub table, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 82.(CVE-2020-15681)\r\n\r\nWhen a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin. This vulnerability affects Firefox < 82.(CVE-2020-15682)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4, Firefox < 82, and Thunderbird < 78.4.(CVE-2020-15683)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 81. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 82.(CVE-2020-15684)\r\n\r\nSide-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.(CVE-2020-16012)\r\n\r\nUse after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet.(CVE-2020-16044)\r\n\r\nIn certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.(CVE-2020-26950)\r\n\r\n(CVE-2020-26951)\r\n\r\n(CVE-2020-26953)\r\n\r\n(CVE-2020-26956)\r\n\r\n(CVE-2020-26958)\r\n\r\n(CVE-2020-26959)\r\n\r\n(CVE-2020-26960)\r\n\r\n(CVE-2020-26961)\r\n\r\n(CVE-2020-26962)\r\n\r\n(CVE-2020-26965)\r\n\r\n(CVE-2020-26968)\r\n\r\n(CVE-2020-26969)\r\n\r\nCertain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26971)\r\n\r\nThe lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. Such a check was omitted in WebGL, resulting in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 84.(CVE-2020-26972)\r\n\r\nCertain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26973)\r\n\r\nWhen flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26974)\r\n\r\nWhen a HTTPS pages was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing. This vulnerability affects Firefox < 84.(CVE-2020-26976)\r\n\r\nUsing techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-26978)\r\n\r\nWhen a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84.(CVE-2020-26979)\r\n\r\nWhen an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-35111)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.(CVE-2020-35113)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84.(CVE-2020-35114)\r\n\r\nIf a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23953)\r\n\r\nUsing the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23954)\r\n\r\nThe browser could have been confused into transferring a pointer lock state into another tab, which could have lead to clickjacking attacks. This vulnerability affects Firefox < 85.(CVE-2021-23955)\r\n\r\nAn ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. This was addressed by adding a new prompt. This vulnerability affects Firefox < 85.(CVE-2021-23956)\r\n\r\nThe browser could have been confused into transferring a screen sharing state into another tab, which would leak unintended information. This vulnerability affects Firefox < 85.(CVE-2021-23958)\r\n\r\nPerforming garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23960)\r\n\r\nFurther techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85.(CVE-2021-23961)\r\n\r\nIncorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. This vulnerability affects Firefox < 85.(CVE-2021-23962)\r\n\r\nWhen sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85.(CVE-2021-23963)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23964)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85.(CVE-2021-23965)\r\n\r\nIf Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23968)\r\n\r\nAs specified in the W3C Content Security Policy draft, when creating a violation report, \"User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage.\" Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23969)\r\n\r\nContext-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. This vulnerability affects Firefox < 86.(CVE-2021-23970)\r\n\r\nWhen processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86.(CVE-2021-23971)\r\n\r\nOne phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://www.phishingtarget.com@evil.com'. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. This vulnerability affects Firefox < 86.(CVE-2021-23972)\r\n\r\nWhen trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23973)\r\n\r\nThe DOMParser API did not properly process '<noscript>' elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. This vulnerability affects Firefox < 86.(CVE-2021-23974)\r\n\r\nThe developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects Firefox < 86.(CVE-2021-23975)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.(CVE-2021-23978)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86.(CVE-2021-23979)\r\n\r\nA texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23981)\r\n\r\nUsing techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23982)\r\n\r\nBy causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 87.(CVE-2021-23983)\r\n\r\nA malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23984)\r\n\r\nIf an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox < 87.(CVE-2021-23985)\r\n\r\nA malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87.(CVE-2021-23986)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.(CVE-2021-23987)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 87.(CVE-2021-23988)\r\n\r\nA WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23994)\r\n\r\nWhen Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23995)\r\n\r\nBy utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user. This vulnerability affects Firefox < 88.(CVE-2021-23996)\r\n\r\nDue to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 88.(CVE-2021-23997)\r\n\r\nThrough complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23998)\r\n\r\nIf a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-23999)\r\n\r\nA race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as &lt;input type=\"file\"&gt;) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not intend to. This vulnerability affects Firefox < 88.(CVE-2021-24000)\r\n\r\nA compromised content process could have performed session history manipulations it should not have been able to due to testing infrastructure that was not restricted to testing-only configurations. This vulnerability affects Firefox < 88.(CVE-2021-24001)\r\n\r\nWhen a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-24002)\r\n\r\nLack of escaping allowed HTML injection when a webpage was viewed in Reader View. While a Content Security Policy prevents direct code execution, HTML injection is still possible. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 88.(CVE-2021-29944)\r\n\r\nThe WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29945)\r\n\r\nPorts that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29946)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 87. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 88.(CVE-2021-29947)\r\n\r\nWhen Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.(CVE-2021-29952)\r\n\r\nA malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.*. This vulnerability affects Firefox < 88.0.1 and Firefox for Android < 88.1.3.(CVE-2021-29953)\r\n\r\nA transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.). This vulnerability affects Firefox ESR < 78.9 and Firefox < 87.(CVE-2021-29955)\r\n\r\nWhen a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89.(CVE-2021-29959)\r\n\r\nFirefox used to cache the last filename used for printing a file. When generating a filename for printing, Firefox usually suggests the web page title. The caching and suggestion techniques combined may have lead to the title of a website visited during private browsing mode being stored on disk. This vulnerability affects Firefox < 89.(CVE-2021-29960)\r\n\r\nWhen styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.(CVE-2021-29961)\r\n\r\nA malicious website that causes an HTTP Authentication dialog to be spawned could trick the built-in password manager to suggest passwords for the currently active website instead of the website that triggered the dialog. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.(CVE-2021-29965)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 88. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 89.(CVE-2021-29966)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.11, Firefox < 89, and Firefox ESR < 78.11.(CVE-2021-29967)\r\n\r\nA malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.(CVE-2021-29970)\r\n\r\nA use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well. This vulnerability affects Firefox < 90.(CVE-2021-29972)\r\n\r\nWhen network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically. This vulnerability affects Firefox < 90.(CVE-2021-29974)\r\n\r\nThrough a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. This vulnerability affects Firefox < 90.(CVE-2021-29975)\r\n\r\nMozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.(CVE-2021-29976)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 90.(CVE-2021-29977)\r\n\r\nUninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29980)\r\n\r\nAn issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. This vulnerability affects Firefox < 91 and Thunderbird < 91.(CVE-2021-29981)\r\n\r\nDue to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. This vulnerability affects Firefox < 91 and Thunderbird < 91.(CVE-2021-29982)\r\n\r\nInstruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29984)\r\n\r\nA use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29985)\r\n\r\nA suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29986)\r\n\r\nAfter requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.(CVE-2021-29987)\r\n\r\nFirefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29988)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.(CVE-2021-29989)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 90. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 91.(CVE-2021-29990)\r\n\r\nFirefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.(CVE-2021-29991)\r\n\r\nOut of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.(CVE-2021-30547)\r\n\r\ncrossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.(CVE-2021-32810)\r\n\r\nMixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. This vulnerability affects Firefox < 92.(CVE-2021-38491)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14, and Firefox < 92.(CVE-2021-38493)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 92.(CVE-2021-38494)\r\n\r\nDuring operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.(CVE-2021-38496)\r\n\r\nThrough use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.(CVE-2021-38497)\r\n\r\nDuring process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.(CVE-2021-38498)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 92. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93.(CVE-2021-38499)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93.(CVE-2021-38500)\r\n\r\nMozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.(CVE-2021-38501)\r\n\r\nThe iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38503)\r\n\r\nWhen interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38504)\r\n\r\nThrough a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38506)\r\n\r\nThe Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38507)\r\n\r\nBy displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38508)\r\n\r\nDue to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38509)\r\n\r\nThe executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-38510)\r\n\r\nIt was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2021-4140)\r\n\r\nWhen a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.(CVE-2021-43531)\r\n\r\nThe 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.(CVE-2021-43532)\r\n\r\nWhen parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing. This vulnerability affects Firefox < 94.(CVE-2021-43533)\r\n\r\nMozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-43534)\r\n\r\nA use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.3, and Firefox ESR < 91.3.(CVE-2021-43535)\r\n\r\nUnder certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43536)\r\n\r\nAn incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43537)\r\n\r\nBy misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43538)\r\n\r\nFailure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43539)\r\n\r\nWebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox < 95.(CVE-2021-43540)\r\n\r\nWhen invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43541)\r\n\r\nUsing XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43542)\r\n\r\nDocuments loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43543)\r\n\r\nUsing the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43545)\r\n\r\nIt was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.(CVE-2021-43546)\r\n\r\nMozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97.(CVE-2022-0511)\r\n\r\nMozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 98.(CVE-2022-0843)\r\n\r\n<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-1097)\r\n\r\nAfter a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.(CVE-2022-1196)\r\n\r\nAn attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.(CVE-2022-1529)\r\n\r\nIf an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.(CVE-2022-1802)\r\n\r\nUse after free in Codecs in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2022-1919)\r\n\r\nIf an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-2200)\r\n\r\nConstructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22737)\r\n\r\nApplying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22738)\r\n\r\nMalicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22739)\r\n\r\nCertain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22740)\r\n\r\nWhen resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22741)\r\n\r\nWhen inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22742)\r\n\r\nWhen navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22743)\r\n\r\nSecuritypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22745)\r\n\r\nAfter accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22747)\r\n\r\nMalicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22748)\r\n\r\nIf a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22754)\r\n\r\nBy using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.(CVE-2022-22755)\r\n\r\nIf a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22756)\r\n\r\nRemote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.(CVE-2022-22757)\r\n\r\nIf a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22759)\r\n\r\nWhen importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22760)\r\n\r\nWeb-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22761)\r\n\r\nWhen a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6.(CVE-2022-22763)\r\n\r\nregex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.(CVE-2022-24713)\r\n\r\nAn attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26381)\r\n\r\nWhile the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.(CVE-2022-26382)\r\n\r\nWhen resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26383)\r\n\r\nIf an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26384)\r\n\r\nIn unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 98.(CVE-2022-26385)\r\n\r\nPreviously Firefox for macOS and Linux would download temporary files to a user-specific directory in <code>/tmp</code>, but this behavior was changed to download them to <code>/tmp</code> where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. <br>*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7.(CVE-2022-26386)\r\n\r\nWhen installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.(CVE-2022-26387)\r\n\r\nRemoving an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.(CVE-2022-26485)\r\n\r\nAn unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.(CVE-2022-26486)\r\n\r\nIf a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28281)\r\n\r\nBy using a link with <code>rel=\"localization\"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28282)\r\n\r\nThe sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible. This vulnerability affects Firefox < 99.(CVE-2022-28283)\r\n\r\nSVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.(CVE-2022-28284)\r\n\r\nWhen generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28285)\r\n\r\nDue to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28286)\r\n\r\nIn unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.(CVE-2022-28287)\r\n\r\nMozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.(CVE-2022-28289)\r\n\r\nDocuments in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29909)\r\n\r\nAn improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29911)\r\n\r\nRequests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29912)\r\n\r\nWhen reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29914)\r\n\r\nThe Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.(CVE-2022-29915)\r\n\r\nFirefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.(CVE-2022-29916)\r\n\r\nMozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 100.(CVE-2022-29918)\r\n\r\nA malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31736)\r\n\r\nA malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31737)\r\n\r\nWhen exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31738)\r\n\r\nOn arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31740)\r\n\r\nA crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31741)\r\n\r\nAn attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.(CVE-2022-31742)\r\n\r\nFirefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape HTML comments on pages that put user-controlled data in them. This vulnerability affects Firefox < 101.(CVE-2022-31743)\r\n\r\nAn attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.(CVE-2022-31744)\r\n\r\nIf array shift operations are not used, the Garbage Collector may have become confused about valid objects. This vulnerability affects Firefox < 101.(CVE-2022-31745)\r\n\r\nMozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 101.(CVE-2022-31748)\r\n\r\nAn out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-3266)\r\n\r\nAn iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34468)\r\n\r\nWhen a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102.(CVE-2022-34469)\r\n\r\nSession history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34470)\r\n\r\nWhen downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102.(CVE-2022-34471)\r\n\r\nIf there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34472)\r\n\r\nThe HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG <code>&lt;use&gt;</code> tags; however it incorrectly did not sanitize <code>xlink:href</code> attributes. This vulnerability affects Firefox < 102.(CVE-2022-34473)\r\n\r\nEven when an iframe was sandboxed with <code>allow-top-navigation-by-user-activation</code>, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate. This vulnerability affects Firefox < 102.(CVE-2022-34474)\r\n\r\nSVG <code>&lt;use&gt;</code> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed. This vulnerability affects Firefox < 102.(CVE-2022-34475)\r\n\r\nASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1. This vulnerability affects Firefox < 102.(CVE-2022-34476)\r\n\r\nThe MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 102.(CVE-2022-34477)\r\n\r\nA malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34479)\r\n\r\nWithin the <code>lg_init()</code> function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated. This vulnerability affects Firefox < 102.(CVE-2022-34480)\r\n\r\nIn the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34481)\r\n\r\nAn attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.(CVE-2022-34482)\r\n\r\nAn attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482. This vulnerability affects Firefox < 102.(CVE-2022-34483)\r\n\r\nThe Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34484)\r\n\r\nMozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102.(CVE-2022-34485)\r\n\r\nWhen visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.(CVE-2022-36318)\r\n\r\nWhen combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.(CVE-2022-36319)\r\n\r\nAn attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.(CVE-2022-38472)\r\n\r\nA cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.(CVE-2022-38473)\r\n\r\nMozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104.(CVE-2022-38477)\r\n\r\nMembers the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.(CVE-2022-38478)\r\n\r\nWhen injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40956)\r\n\r\nInconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40957)\r\n\r\nBy injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40958)\r\n\r\nDuring iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40959)\r\n\r\nConcurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40960)\r\n\r\nMozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.(CVE-2022-40962)\r\n\r\nCertain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4.(CVE-2022-42928)\r\n\r\nThrough a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45408)\r\n\r\nThe garbage collector could have been aborted in several states and zones and <code>GCRuntime::finishCollection</code> may not have been called, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45409)\r\n\r\nWhen a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45410)\r\n\r\nCross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45411)\r\n\r\nWhen resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45412)\r\n\r\nKeyboard events reference strings like \"KeyA\" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45416)\r\n\r\nIf a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45418)\r\n\r\nUse tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45420)\r\n\r\nMozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45421)\r\n\r\nAn out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.(CVE-2022-46871)\r\n\r\nA file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6.(CVE-2022-46874)\r\n\r\nThe executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer. <br>*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.(CVE-2022-46875)\r\n\r\nMozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.(CVE-2022-46878)\r\n\r\nA use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6.(CVE-2022-46882)\r\n\r\nAn attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-0767)\r\n\r\nUnexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 102.10 and Firefox ESR < 102.10.(CVE-2023-1945)\r\n\r\nDue to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to <code>DataTransfer.setData</code>. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23598)\r\n\r\nWhen copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23599)\r\n\r\nNavigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23601)\r\n\r\nA mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23602)\r\n\r\nRegular expressions used to filter out forbidden properties and values from style directives in calls to <code>console.log</code> weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23603)\r\n\r\nThe <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25728)\r\n\r\nPermission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25729)\r\n\r\nA background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25730)\r\n\r\nWhen encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25732)\r\n\r\nCross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25735)\r\n\r\nAn invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25737)\r\n\r\nModule load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in <code>ScriptLoadContext</code>. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25739)\r\n\r\nWhen importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.(CVE-2023-25742)\r\n\r\nSometimes, when invalidating JIT code while following an iterator, the newly generated code could be overwritten incorrectly. This could lead to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-25751)\r\n\r\nWhen accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may have lead future code to be incorrect and vulnerable. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-25752)\r\n\r\nWhile implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-28162)\r\n\r\nDragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-28164)\r\n\r\nMozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.(CVE-2023-28176)\r\n\r\nA website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29533)\r\n\r\nFollowing a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29535)\r\n\r\nAn attacker could cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29536)\r\n\r\nWhen handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29539)\r\n\r\nFirefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29541)\r\n\r\nA wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29548)\r\n\r\nMozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.(CVE-2023-29550)\r\n\r\nIn multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32205)\r\n\r\nAn out-of-bound read could have led to a crash in the RLBox Expat driver. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32206)\r\n\r\nA missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32207)\r\n\r\nA type checking bug would have led to invalid code being compiled. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32211)\r\n\r\nAn attacker could have positioned a <code>datalist</code> element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32212)\r\n\r\nWhen reading a file, an uninitialized value could have been used as read limit. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32213)\r\n\r\nMozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.(CVE-2023-32215)\r\n\r\nAn attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37201)\r\n\r\nCross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37202)\r\n\r\nA website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37207)\r\n\r\nWhen opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37208)\r\n\r\nMemory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13.(CVE-2023-37211)\r\n\r\nOffscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4045)\r\n\r\nIn some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4046)\r\n\r\nA bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4047)\r\n\r\nAn out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4048)\r\n\r\nRace conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4049)\r\n\r\nIn some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4050)\r\n\r\nWhen opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. \n*This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1, Thunderbird < 102.14, and Thunderbird < 115.1.(CVE-2023-4054)\r\n\r\nWhen the number of cookies per domain was exceeded in `document.cookie`, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4055)\r\n\r\nMemory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.(CVE-2023-4056)",
+    "cves": [
+      {
+        "id": "CVE-2020-15673",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15673",
+        "severity": "High"
+      },
+      {
+        "id": "CVE-2023-4056",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4056",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1654": {
+    "id": "openEuler-SA-2023-1654",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1654",
+    "title": "An update for qemu is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nhw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.(CVE-2020-13791)\r\n\r\nAn issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS).(CVE-2020-24165)",
+    "cves": [
+      {
+        "id": "CVE-2020-24165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24165",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1249": {
+    "id": "openEuler-SA-2021-1249",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1249",
+    "title": "An update for jetty is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. \\ %global extdesc \\\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.(CVE-2021-28169)",
+    "cves": [
+      {
+        "id": "CVE-2021-28169",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1184": {
+    "id": "openEuler-SA-2024-1184",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1184",
+    "title": "An update for shim is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "Initial UEFI bootloader that handles chaining to a trusted full \\ bootloader under secure boot environments.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)",
+    "cves": [
+      {
+        "id": "CVE-2023-0464",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1676": {
+    "id": "openEuler-SA-2023-1676",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1676",
+    "title": "An update for pmix is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "PMI has been used for quite some time as a means of exchanging wireup information needed for interprocess communication.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.(CVE-2023-41915)",
+    "cves": [
+      {
+        "id": "CVE-2023-41915",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41915",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-2109": {
+    "id": "openEuler-SA-2022-2109",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2109",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR,WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.(CVE-2022-32547)",
+    "cves": [
+      {
+        "id": "CVE-2022-32547",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1836": {
+    "id": "openEuler-SA-2022-1836",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1836",
+    "title": "An update for unbound is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most platforms such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows.Unbound is a totally free, open source software under the BSD license. It doesn'tmake custom builds or provide specific features to paying customers only.\r\n\r\nSecurity Fix(es):\r\n\r\nNLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the \"ghost domain names\" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.(CVE-2022-30698)\r\n\r\nNLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the \"ghost domain names\" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.(CVE-2022-30699)",
+    "cves": [
+      {
+        "id": "CVE-2022-30699",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30699",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1772": {
+    "id": "openEuler-SA-2024-1772",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1772",
+    "title": "An update for golang is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.(CVE-2024-24789)",
+    "cves": [
+      {
+        "id": "CVE-2024-24789",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24789",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1029": {
+    "id": "openEuler-SA-2024-1029",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1029",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\nVUL-0: CVE-2023-50229: bluez: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability(CVE-2023-50229)",
+    "cves": [
+      {
+        "id": "CVE-2023-50229",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50229",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1961": {
+    "id": "openEuler-SA-2023-1961",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1961",
+    "title": "An update for curl is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Low",
+    "description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n(CVE-2023-46219)",
+    "cves": [
+      {
+        "id": "CVE-2023-46219",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46219",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1088": {
+    "id": "openEuler-SA-2024-1088",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1088",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Bluetooth subsystem of the Linux kernel. A race condition between the bt_sock_recvmsg() and bt_sock_ioctl() functions could lead to a use-after-free on a socket buffer (\"skb\"). This flaw allows a local user to cause a denial of service condition or potential code execution.(CVE-2023-51779)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.(CVE-2023-51780)\r\n\r\nAn issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.(CVE-2023-51781)\r\n\r\nAn out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121)",
+    "cves": [
+      {
+        "id": "CVE-2023-6121",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6121",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1397": {
+    "id": "openEuler-SA-2024-1397",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1397",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: q6afe-clocks: fix reprobing of the driver\r\n\r\nQ6afe-clocks driver can get reprobed. For example if the APR services\nare restarted after the firmware crash. However currently Q6afe-clocks\ndriver will oops because hw.init will get cleared during first _probe\ncall. Rewrite the driver to fill the clock data at runtime rather than\nusing big static array of clocks.(CVE-2021-47037)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\napparmor: avoid crash when parsed profile name is empty\r\n\r\nWhen processing a packed profile in unpack_profile() described like\r\n\r\n \"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}\"\r\n\r\na string \":samba-dcerpcd\" is unpacked as a fully-qualified name and then\npassed to aa_splitn_fqname().\r\n\r\naa_splitn_fqname() treats \":samba-dcerpcd\" as only containing a namespace.\nThus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later\naa_alloc_profile() crashes as the new profile name is NULL now.\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:strlen+0x1e/0xa0\nCall Trace:\n <TASK>\n ? strlen+0x1e/0xa0\n aa_policy_init+0x1bb/0x230\n aa_alloc_profile+0xb1/0x480\n unpack_profile+0x3bc/0x4960\n aa_unpack+0x309/0x15e0\n aa_replace_profiles+0x213/0x33c0\n policy_update+0x261/0x370\n profile_replace+0x20e/0x2a0\n vfs_write+0x2af/0xe00\n ksys_write+0x126/0x250\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n---[ end trace 0000000000000000 ]---\nRIP: 0010:strlen+0x1e/0xa0\r\n\r\nIt seems such behaviour of aa_splitn_fqname() is expected and checked in\nother places where it is called (e.g. aa_remove_profiles). Well, there\nis an explicit comment \"a ns name without a following profile is allowed\"\ninside.\r\n\r\nAFAICS, nothing can prevent unpacked \"name\" to be in form like\n\":samba-dcerpcd\" - it is passed from userspace.\r\n\r\nDeny the whole profile set replacement in such case and inform user with\nEPROTO and an explaining message.\r\n\r\nFound by Linux Verification Center (linuxtesting.org).(CVE-2023-52443)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\r\n\r\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\r\n\r\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n  process_one_work+0x174/0x3c8\n  worker_thread+0x2d0/0x3e8\n  kthread+0x104/0x110\r\n\r\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().(CVE-2023-52454)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: imx: fix tx statemachine deadlock\r\n\r\nWhen using the serial port as RS485 port, the tx statemachine is used to\ncontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When the\nTTY port is closed in the middle of a transmission (for instance during\nuserland application crash), imx_uart_shutdown disables the interface\nand disables the Transmission Complete interrupt. afer that,\nimx_uart_stop_tx bails on an incomplete transmission, to be retriggered\nby the TC interrupt. This interrupt is disabled and therefore the tx\nstatemachine never transitions out of SEND. The statemachine is in\ndeadlock now, and the TX_EN remains low, making the interface useless.\r\n\r\nimx_uart_stop_tx now checks for incomplete transmission AND whether TC\ninterrupts are enabled before bailing to be retriggered. This makes sure\nthe state machine handling is reached, and is properly set to\nWAIT_AFTER_SEND.(CVE-2023-52456)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nserial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed\r\n\r\nReturning an error code from .remove() makes the driver core emit the\nlittle helpful error message:\r\n\r\n\tremove callback returned a non-zero value. This will be ignored.\r\n\r\nand then remove the device anyhow. So all resources that were not freed\nare leaked in this case. Skipping serial8250_unregister_port() has the\npotential to keep enough of the UART around to trigger a use-after-free.\r\n\r\nSo replace the error return (and with it the little helpful error\nmessage) by a more useful error message and continue to cleanup.(CVE-2023-52457)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: fix check for attempt to corrupt spilled pointer\r\n\r\nWhen register is spilled onto a stack as a 1/2/4-byte register, we set\nslot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,\ndepending on actual spill size). So to check if some stack slot has\nspilled register we need to consult slot_type[7], not slot_type[0].\r\n\r\nTo avoid the need to remember and double-check this in the future, just\nuse is_spilled_reg() helper.(CVE-2023-52462)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmfd: syscon: Fix null pointer dereference in of_syscon_register()\r\n\r\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.(CVE-2023-52467)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrivers/amd/pm: fix a use-after-free in kv_parse_power_table\r\n\r\nWhen ps allocated by kzalloc equals to NULL, kv_parse_power_table\nfrees adev->pm.dpm.ps that allocated before. However, after the control\nflow goes through the following call chains:\r\n\r\nkv_parse_power_table\n  |-> kv_dpm_init\n        |-> kv_dpm_sw_init\n\t      |-> kv_dpm_fini\r\n\r\nThe adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its\nfirst free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nperf/x86/lbr: Filter vsyscall addresses\r\n\r\nWe found that a panic can occur when a vsyscall is made while LBR sampling\nis active. If the vsyscall is interrupted (NMI) for perf sampling, this\ncall sequence can occur (most recent at top):\r\n\r\n    __insn_get_emulate_prefix()\n    insn_get_emulate_prefix()\n    insn_get_prefixes()\n    insn_get_opcode()\n    decode_branch_type()\n    get_branch_type()\n    intel_pmu_lbr_filter()\n    intel_pmu_handle_irq()\n    perf_event_nmi_handler()\r\n\r\nWithin __insn_get_emulate_prefix() at frame 0, a macro is called:\r\n\r\n    peek_nbyte_next(insn_byte_t, insn, i)\r\n\r\nWithin this macro, this dereference occurs:\r\n\r\n    (insn)->next_byte\r\n\r\nInspecting registers at this point, the value of the next_byte field is the\naddress of the vsyscall made, for example the location of the vsyscall\nversion of gettimeofday() at 0xffffffffff600000. The access to an address\nin the vsyscall region will trigger an oops due to an unhandled page fault.\r\n\r\nTo fix the bug, filtering for vsyscalls can be done when\ndetermining the branch type. This patch will return\na \"none\" branch if a kernel address if found to lie in the\nvsyscall region.(CVE-2023-52476)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix uaf in smb20_oplock_break_ack\r\n\r\ndrop reference after use opinfo.(CVE-2023-52479)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range\r\n\r\nWhen running an SVA case, the following soft lockup is triggered:\n--------------------------------------------------------------------\nwatchdog: BUG: soft lockup - CPU#244 stuck for 26s!\npstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\nlr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50\nsp : ffff8000d83ef290\nx29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000\nx26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000\nx23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0\nx20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0\nx14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a\nx2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n arm_smmu_cmdq_issue_cmdlist+0x178/0xa50\n __arm_smmu_tlb_inv_range+0x118/0x254\n arm_smmu_tlb_inv_range_asid+0x6c/0x130\n arm_smmu_mm_invalidate_range+0xa0/0xa4\n __mmu_notifier_invalidate_range_end+0x88/0x120\n unmap_vmas+0x194/0x1e0\n unmap_region+0xb4/0x144\n do_mas_align_munmap+0x290/0x490\n do_mas_munmap+0xbc/0x124\n __vm_munmap+0xa8/0x19c\n __arm64_sys_munmap+0x28/0x50\n invoke_syscall+0x78/0x11c\n el0_svc_common.constprop.0+0x58/0x1c0\n do_el0_svc+0x34/0x60\n el0_svc+0x2c/0xd4\n el0t_64_sync_handler+0x114/0x140\n el0t_64_sync+0x1a4/0x1a8\n--------------------------------------------------------------------\r\n\r\nNote that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed\nto \"arm_smmu_mm_arch_invalidate_secondary_tlbs\", yet the problem remains.\r\n\r\nThe commit 06ff87bae8d3 (\"arm64: mm: remove unused functions and variable\nprotoypes\") fixed a similar lockup on the CPU MMU side. Yet, it can occur\nto SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called\ntypically next to MMU tlb flush function, e.g.\n\ttlb_flush_mmu_tlbonly {\n\t\ttlb_flush {\n\t\t\t__flush_tlb_range {\n\t\t\t\t// check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t\tmmu_notifier_arch_invalidate_secondary_tlbs {\n\t\t\tarm_smmu_mm_arch_invalidate_secondary_tlbs {\n\t\t\t\t// does not check MAX_TLBI_OPS\n\t\t\t}\n\t\t}\n\t}\r\n\r\nClone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an\nSVA case SMMU uses the CPU page table, so it makes sense to align with the\ntlbflush code. Then, replace per-page TLBI commands with a single per-asid\nTLBI command, if the request size hits this threshold.(CVE-2023-52484)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbAdjTree\r\n\r\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/(CVE-2023-52601)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntls: fix race between tx work scheduling and socket close\r\n\r\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.(CVE-2024-26585)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\r\n\r\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\r\n\r\nThe following prog is accepted:\r\n\r\n  func#0 @0\n  0: R1=ctx() R10=fp0\n  0: (bf) r6 = r1                       ; R1=ctx() R6_w=ctx()\n  1: (79) r7 = *(u64 *)(r6 +144)        ; R6_w=ctx() R7_w=flow_keys()\n  2: (b7) r8 = 1024                     ; R8_w=1024\n  3: (37) r8 /= 1                       ; R8_w=scalar()\n  4: (57) r8 &= 1024                    ; R8_w=scalar(smin=smin32=0,\n  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))\n  5: (0f) r7 += r8\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024\n  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1\n  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024\n  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off\n  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,\n  var_off=(0x0; 0x400))\n  6: (79) r0 = *(u64 *)(r7 +0)          ; R0_w=scalar()\n  7: (95) exit\r\n\r\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\r\n\r\n  BUG: unable to handle page fault for address: ffffc90014c80038\n  [...]\n  Call Trace:\n   <TASK>\n   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n   __bpf_prog_run include/linux/filter.h:651 [inline]\n   bpf_prog_run include/linux/filter.h:658 [inline]\n   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".(CVE-2024-26589)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ni2c: i801: Fix block process call transactions\r\n\r\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\r\n\r\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.(CVE-2024-26593)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qualcomm: rmnet: fix global oob in rmnet_policy\r\n\r\nThe variable rmnet_link_ops assign a *bigger* maxtype which leads to a\nglobal out-of-bounds read when parsing the netlink attributes. See bug\ntrace below:\r\n\r\n==================================================================\nBUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]\nBUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\nRead of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207\r\n\r\nCPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G                 N 6.1.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x172/0x475 mm/kasan/report.c:395\n kasan_report+0xbb/0x1c0 mm/kasan/report.c:495\n validate_nla lib/nlattr.c:386 [inline]\n __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600\n __nla_parse+0x3e/0x50 lib/nlattr.c:697\n nla_parse_nested_deprecated include/net/netlink.h:1248 [inline]\n __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485\n rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594\n rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091\n netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0x154/0x190 net/socket.c:734\n ____sys_sendmsg+0x6df/0x840 net/socket.c:2482\n ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536\n __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fdcf2072359\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359\nRDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003\nRBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000\n </TASK>\r\n\r\nThe buggy address belongs to the variable:\n rmnet_policy+0x30/0xe0\r\n\r\nThe buggy address belongs to the physical page:\npage:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\r\n\r\nMemory state around the buggy address:\n ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07\n ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9\n>ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\n                                                 ^\n ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9\n ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9\r\n\r\nAccording to the comment of `nla_parse_nested_deprecated`, the maxtype\nshould be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\r\n\r\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\r\n\r\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\r\n\r\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\r\n\r\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\r\n\r\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n   fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n   the buffer required by xrstor is accessible.\r\n\r\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\r\n\r\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\r\n\r\n[ dhansen: tweak subject / changelog ](CVE-2024-26603)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: signal epoll threads of self-work\r\n\r\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\r\n\r\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.(CVE-2024-26606)",
+    "cves": [
+      {
+        "id": "CVE-2024-26606",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1388": {
+    "id": "openEuler-SA-2024-1388",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1388",
+    "title": "An update for python-pymongo is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The PyMongo distribution contains tools for interacting with \\ MongoDB database from Python.\\ PyMongo supports MongoDB 2.6, 3.0, 3.2, 3.4, 3.6, 4.0 and 4.2.\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.(CVE-2024-21506)",
+    "cves": [
+      {
+        "id": "CVE-2024-21506",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21506",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1024": {
+    "id": "openEuler-SA-2023-1024",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1024",
+    "title": "An update for python-pillow is now available for openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.\r\n\r\nSecurity Fix(es):\r\n\r\nPillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.(CVE-2022-45199)",
+    "cves": [
+      {
+        "id": "CVE-2022-45199",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45199",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1136": {
+    "id": "openEuler-SA-2023-1136",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1136",
+    "title": "An update for python-django is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.(CVE-2023-24580)",
+    "cves": [
+      {
+        "id": "CVE-2023-24580",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24580",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1669": {
+    "id": "openEuler-SA-2022-1669",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1669",
+    "title": "An update for libtiff is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "This libtiff provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. The latest version of the TIFF specification is available on-line in several different formats.And contains command-line programs for manipulating TIFF format image files using the libtiff library.\n\nSecurity Fix(es):\n\nA stack buffer overflow flaw was found in Libtiffs tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.(CVE-2022-1355)",
+    "cves": [
+      {
+        "id": "CVE-2022-1355",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1355",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1292": {
+    "id": "openEuler-SA-2021-1292",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1292",
+    "title": "An update for mybatis is now available for openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools. To use the MyBatis data mapper, you rely on your own objects, XML, and SQL. There is little to learn that you don't already know. With the MyBatis data mapper, you have the full power of both SQL and stored procedures at your fingertips. The MyBatis project is developed and maintained by a team that includes the original creators of the \"iBATIS\" data mapper. The Apache project was retired and continued here.\r\n\r\nSecurity Fix(es):\r\n\r\nMyBatis before 3.5.6 mishandles deserialization of object streams.(CVE-2020-26945)",
+    "cves": [
+      {
+        "id": "CVE-2020-26945",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26945",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1046": {
+    "id": "openEuler-SA-2021-1046",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1046",
+    "title": "An update for gnutls is now available for openEuler-20.03-LTS",
+    "severity": "High",
+    "description": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, and other required structures.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.(CVE-2020-24659)",
+    "cves": [
+      {
+        "id": "CVE-2020-24659",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24659",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1621": {
+    "id": "openEuler-SA-2022-1621",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1621",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.(CVE-2022-27666)\r\n\r\nIn aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel(CVE-2021-39698)\n\nVulnerability Summary for CVE-2022-1198.(CVE-2022-1198)\n\nems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.(CVE-2022-28390)\n\nA flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle return with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.(CVE-2022-1016)\n\nProduct: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel.(CVE-2021-39713)\n\nA use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5.(CVE-2022-1055)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23039)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23040)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23041)\n\nLinux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23042)\n\nThe SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.(CVE-2022-28893)",
+    "cves": [
+      {
+        "id": "CVE-2022-28893",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28893",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1050": {
+    "id": "openEuler-SA-2021-1050",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1050",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nIn IntensityCompare() of /magick/quantize.c, there are calls to PixelPacketIntensity() which could return overflowed values to the caller when ImageMagick processes a crafted input file. To mitigate this, the patch introduces and uses the ConstrainPixelIntensity() function, which forces the pixel intensities to be within the proper bounds in the event of an overflow. This flaw affects ImageMagick versions prior to 6.9.10-69 and 7.0.8-69.(CVE-2020-27754)\r\n\r\nIn WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68.(CVE-2020-25664)",
+    "cves": [
+      {
+        "id": "CVE-2020-25664",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25664",
+        "severity": "Low"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1817": {
+    "id": "openEuler-SA-2024-1817",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1817",
+    "title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP4",
+    "severity": "High",
+    "description": "Xwayland is an X server for running X clients under Wayland.   %package devel Summary: Development package Requires: pkgconfig   %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland.   %prep %autosetup -n xwayland-   %build %meson \\         -Dxwayland_eglstream=true \\         -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\         -Dbuilder_string=\"Build ID:  -\" \\         -Dxkb_output_dir=/lib/xkb \\         -Dxcsecurity=true \\         -Dglamor=true \\         -Ddri3=true   %meson_build\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.(CVE-2022-2320)",
+    "cves": [
+      {
+        "id": "CVE-2022-2320",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1100": {
+    "id": "openEuler-SA-2024-1100",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1100",
+    "title": "An update for tomcat is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\r\n\r\n\r\n\r\n\nNote that, like all of the file upload limits, the\n          new configuration option (FileUploadBase#setFileCountMax) is not\n          enabled by default and must be explicitly configured.\r\n\r\n\n(CVE-2023-24998)\r\n\r\nThe fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP       connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was       submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.\r\n\r\n\r\n\r\n\n(CVE-2023-28709)\r\n\r\nIncomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\r\n\r\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.\r\n\r\n(CVE-2023-42795)",
+    "cves": [
+      {
+        "id": "CVE-2023-42795",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1812": {
+    "id": "openEuler-SA-2023-1812",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1812",
+    "title": "An update for avahi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.(CVE-2023-38469)",
+    "cves": [
+      {
+        "id": "CVE-2023-38469",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38469",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1023": {
+    "id": "openEuler-SA-2023-1023",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1023",
+    "title": "An update for php is now available for openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing adatabase-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.The php package contains the module (often referred to as mod_php)which adds support for the PHP language to Apache HTTP Server.\r\n\r\nSecurity Fix(es):\r\n\r\nThe Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.(CVE-2022-37454)",
+    "cves": [
+      {
+        "id": "CVE-2022-37454",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37454",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1347": {
+    "id": "openEuler-SA-2021-1347",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1347",
+    "title": "An update for jasper is now available for openEuler-20.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "The JasPer Project is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.\r\n\r\nSecurity Fix(es):\r\n\r\nA Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.c(CVE-2021-27845)",
+    "cves": [
+      {
+        "id": "CVE-2021-27845",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27845",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1881": {
+    "id": "openEuler-SA-2023-1881",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1881",
+    "title": "An update for qt is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "Qt (pronounced as \"cute\", not \"cu-tee\") is a cross-platform framework that is usually used as a graphical toolkit, although it is also very helpful in creating CLI applications. It runs on the three major desktop OSes, as well as on mobile OSes, such as Symbian, Nokia Belle, Meego Harmattan, MeeGo or BB10, and on embedded devices. Ports for Android (Necessitas) and iOS are also in development\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.(CVE-2023-34410)\r\n\r\nIn Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369)\r\n\r\nAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.(CVE-2023-38197)\r\n\r\nAn issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.(CVE-2023-43114)",
+    "cves": [
+      {
+        "id": "CVE-2023-43114",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43114",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1068": {
+    "id": "openEuler-SA-2021-1068",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1068",
+    "title": "An update for python-lxml is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. It is unique in that it combines the speed and XML feature completeness of these libraries with the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API. The latest release works with all CPython versions from 2.7 to 3.7.\r\n\r\nSecurity Fix(es):\r\n\r\nA XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.(CVE-2020-27783)",
+    "cves": [
+      {
+        "id": "CVE-2020-27783",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27783",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1997": {
+    "id": "openEuler-SA-2022-1997",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1997",
+    "title": "An update for qemu is now available for openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\n\t\tQEMU has two operating modes:\n\n\t\tFull system emulation. In this mode, QEMU emulates a full system (for example a PC),\n\t\tincluding one or several processors and various peripherals. It can be used to launch\n\t\tdifferent Operating Systems without rebooting the PC or to debug system code.\n\n\t\tUser mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU.\n\t\tIt can be used to launch the Wine Windows API emulator (https://www.winehq.org) or to ease\n\t\tcross-compilation and cross-debugging.\n\t\tYou can refer to https://www.qemu.org for more infortmation.\r\n\r\nSecurity Fix(es):\r\n\r\nAn out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.(CVE-2021-3638)\r\n\r\nA DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.(CVE-2022-2962)",
+    "cves": [
+      {
+        "id": "CVE-2022-2962",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2962",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1386": {
+    "id": "openEuler-SA-2023-1386",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1386",
+    "title": "An update for golang is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "The Go Programming Language.\r\n\r\nSecurity Fix(es):\r\n\r\nThe go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).(CVE-2023-29402)\r\n\r\nThe go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.(CVE-2023-29404)\r\n\r\nThe go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.(CVE-2023-29405)",
+    "cves": [
+      {
+        "id": "CVE-2023-29405",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29405",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1516": {
+    "id": "openEuler-SA-2023-1516",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1516",
+    "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of format (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw.(CVE-2023-39978)",
+    "cves": [
+      {
+        "id": "CVE-2023-39978",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39978",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1990": {
+    "id": "openEuler-SA-2023-1990",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1990",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.(CVE-2023-6546)",
+    "cves": [
+      {
+        "id": "CVE-2023-6546",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6546",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1379": {
+    "id": "openEuler-SA-2021-1379",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1379",
+    "title": "An update for kernel is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\n\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.(CVE-2021-3669)\r\n\r\n(CVE-2021-3764)\r\n\r\n(CVE-2021-3744)\r\n\r\narch/mips/net/bpf_jit.c in the Linux kernel before 5.4.10 can generate undesirable machine code when transforming unprivileged cBPF programs, allowing execution of arbitrary code within the kernel context. This occurs because conditional branches can exceed the 128 KB limit of the MIPS architecture.(CVE-2021-38300)\r\n\r\nA use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3752)\r\n\r\nA flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.(CVE-2021-20317)\r\n\r\nprealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel through 5.14.9 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write.(CVE-2021-41864)\r\n\r\nThe decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.(CVE-2021-42008)",
+    "cves": [
+      {
+        "id": "CVE-2021-42008",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42008",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1760": {
+    "id": "openEuler-SA-2022-1760",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1760",
+    "title": "An update for GraphicsMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+    "severity": "High",
+    "description": "GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler's SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 89 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.\r\n\r\nSecurity Fix(es):\r\n\r\nIn GraphicsMagick, a heap buffer overflow was found when parsing MIFF. (CVE-2022-1270)",
+    "cves": [
+      {
+        "id": "CVE-2022-1270",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1270",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1754": {
+    "id": "openEuler-SA-2024-1754",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1754",
+    "title": "An update for aspell is now available for openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "GNU Aspell is a spell checker intended to replace Ispell. It can be used as a library and spell checker. Its main feature is that it provides much better suggestions than other inspectors, including Ispell and Microsoft Word. It also has many other technical enhancements to Ispell, such as the use of shared memory to store dictionaries, and intelligent processing of personal dictionaries when multiple Aspell processes are opened at one time.\r\n\r\nSecurity Fix(es):\r\n\r\nobjstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).(CVE-2019-25051)",
+    "cves": [
+      {
+        "id": "CVE-2019-25051",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25051",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2022-1943": {
+    "id": "openEuler-SA-2022-1943",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1943",
+    "title": "An update for flink is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Critical",
+    "description": "Apache Flink is a framework and distributed processing engine for stateful computations over unbounded and bounded data streams. Flink has been designed to run in all common cluster environments, perform computations at in-memory speed and at any scale.\r\n\r\nSecurity Fix(es):\r\n\r\nApache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.(CVE-2021-44228)",
+    "cves": [
+      {
+        "id": "CVE-2021-44228",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
+        "severity": "Critical"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1291": {
+    "id": "openEuler-SA-2023-1291",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1291",
+    "title": "An update for libssh is now available for openEuler-22.03-LTS",
+    "severity": "Medium",
+    "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl).\r\n\r\nSecurity Fix(es):\r\n\r\nA NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.(CVE-2023-1667)\r\n\r\nA vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.(CVE-2023-2283)",
+    "cves": [
+      {
+        "id": "CVE-2023-2283",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2283",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1641": {
+    "id": "openEuler-SA-2023-1641",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1641",
+    "title": "An update for djvulibre is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "DjVu is a set of compression technologies, a file format, and a software platform for the deliveryover the Web of digital documents, scanned documents, and high resolution images.DjVu documents download and display extremely quickly, and look exactly the same on all platforms with no compatibility problems due to fonts, colors, etc. DjVu can be seen as a superior alternative to PDF and PostScript for digital documents, to TIFF (and PDF) for scanned bitonal documents, to JPEG and JPEG2000 for photographs and pictures, and to GIF for large palettized images. DjVu is the only Web format that is practical for distributing high-resolution scanned documents in color.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.(CVE-2021-46310)\r\n\r\nAn issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.(CVE-2021-46312)",
+    "cves": [
+      {
+        "id": "CVE-2021-46312",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46312",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1041": {
+    "id": "openEuler-SA-2021-1041",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1041",
+    "title": "An update for bind is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1",
+    "severity": "High",
+    "description": "Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. This package includes the components to operate a DNS server.\r\n\r\nSecurity Fix(es):\r\n\r\nBIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch(CVE-2020-8625)",
+    "cves": [
+      {
+        "id": "CVE-2020-8625",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8625",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1249": {
+    "id": "openEuler-SA-2023-1249",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1249",
+    "title": "An update for bluez is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+    "severity": "High",
+    "description": "This package provides all utilities for use in Bluetooth applications. The BLUETOOTH trademarks are owned by Bluetooth SIG, Inc., U.S.A.\r\n\r\nSecurity Fix(es):\r\n\r\n(CVE-2023-27349)",
+    "cves": [
+      {
+        "id": "CVE-2023-27349",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27349",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1259": {
+    "id": "openEuler-SA-2024-1259",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1259",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
+    "severity": "Medium",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151)",
+    "cves": [
+      {
+        "id": "CVE-2024-1151",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2023-1847": {
+    "id": "openEuler-SA-2023-1847",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1847",
+    "title": "An update for wireshark is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+    "severity": "Medium",
+    "description": "Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow was found in Wireshark's NetScreen file parser. This issue may allow local arbitrary code execution via a crafted capture file.(CVE-2023-6175)",
+    "cves": [
+      {
+        "id": "CVE-2023-6175",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6175",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1168": {
+    "id": "openEuler-SA-2021-1168",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1168",
+    "title": "An update for nodejs-hosted-git-info is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab\r\n\r\nSecurity Fix(es):\r\n\r\nThe package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.(CVE-2021-23362)",
+    "cves": [
+      {
+        "id": "CVE-2021-23362",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1238": {
+    "id": "openEuler-SA-2024-1238",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1238",
+    "title": "An update for edk2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+    "severity": "High",
+    "description": "EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions\r\n\r\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\r\n\r\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\r\n\r\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nThe function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\r\n\r\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\r\n\r\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\r\n\r\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.(CVE-2023-0466)\r\n\r\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\r\n\r\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\r\n\r\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\r\n\r\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\r\n\r\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\r\n\r\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\r\n\r\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\r\n\r\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\r\n\r\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\r\n\r\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+    "cves": [
+      {
+        "id": "CVE-2024-0727",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+        "severity": "High"
+      }
+    ]
+  },
+  "openEuler-SA-2021-1268": {
+    "id": "openEuler-SA-2021-1268",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2021-1268",
+    "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1",
+    "severity": "Medium",
+    "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nThere's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.(CVE-2021-3598)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.(CVE-2020-11759)\r\n\r\nAn issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.(CVE-2020-15306)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.(CVE-2020-11763)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp.(CVE-2020-11761)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.(CVE-2020-11765)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp.(CVE-2020-11760)\r\n\r\nAn issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.(CVE-2020-15305)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h.(CVE-2020-11758)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp.(CVE-2020-11764)\r\n\r\nAn issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.(CVE-2020-11762)",
+    "cves": [
+      {
+        "id": "CVE-2020-11762",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11762",
+        "severity": "Medium"
+      }
+    ]
+  },
+  "openEuler-SA-2024-1355": {
+    "id": "openEuler-SA-2024-1355",
+    "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1355",
+    "title": "An update for kernel is now available for openEuler-22.03-LTS-SP2",
+    "severity": "High",
+    "description": "The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: x86/mmu: Don't advance iterator after restart due to yielding\r\n\r\nAfter dropping mmu_lock in the TDP MMU, restart the iterator during\ntdp_iter_next() and do not advance the iterator.  Advancing the iterator\nresults in skipping the top-level SPTE and all its children, which is\nfatal if any of the skipped SPTEs were not visited before yielding.\r\n\r\nWhen zapping all SPTEs, i.e. when min_level == root_level, restarting the\niter and then invoking tdp_iter_next() is always fatal if the current gfn\nhas as a valid SPTE, as advancing the iterator results in try_step_side()\nskipping the current gfn, which wasn't visited before yielding.\r\n\r\nSprinkle WARNs on iter->yielded being true in various helpers that are\noften used in conjunction with yielding, and tag the helper with\n__must_check to reduce the probabily of improper usage.\r\n\r\nFailing to zap a top-level SPTE manifests in one of two ways.  If a valid\nSPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(),\nthe shadow page will be leaked and KVM will WARN accordingly.\r\n\r\n  WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm]\n  RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_arch_destroy_vm+0x130/0x1b0 [kvm]\n   kvm_destroy_vm+0x162/0x2a0 [kvm]\n   kvm_vcpu_release+0x34/0x60 [kvm]\n   __fput+0x82/0x240\n   task_work_run+0x5c/0x90\n   do_exit+0x364/0xa10\n   ? futex_unqueue+0x38/0x60\n   do_group_exit+0x33/0xa0\n   get_signal+0x155/0x850\n   arch_do_signal_or_restart+0xed/0x750\n   exit_to_user_mode_prepare+0xc5/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0xc0\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nIf kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by\nkvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of\nmarking a struct page as dirty/accessed after it has been put back on the\nfree list.  This directly triggers a WARN due to encountering a page with\npage_count() == 0, but it can also lead to data corruption and additional\nerrors in the kernel.\r\n\r\n  WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171\n  RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm]\n  Call Trace:\n   <TASK>\n   kvm_set_pfn_dirty+0x120/0x1d0 [kvm]\n   __handle_changed_spte+0x92e/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   __handle_changed_spte+0x63c/0xca0 [kvm]\n   zap_gfn_range+0x549/0x620 [kvm]\n   kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm]\n   mmu_free_root_page+0x219/0x2c0 [kvm]\n   kvm_mmu_free_roots+0x1b4/0x4e0 [kvm]\n   kvm_mmu_unload+0x1c/0xa0 [kvm]\n   kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm]\n   kvm_put_kvm+0x3b1/0x8b0 [kvm]\n   kvm_vcpu_release+0x4e/0x70 [kvm]\n   __fput+0x1f7/0x8c0\n   task_work_run+0xf8/0x1a0\n   do_exit+0x97b/0x2230\n   do_group_exit+0xda/0x2a0\n   get_signal+0x3be/0x1e50\n   arch_do_signal_or_restart+0x244/0x17f0\n   exit_to_user_mode_prepare+0xcb/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x4d/0x90\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\r\n\r\nNote, the underlying bug existed even before commit 1af4a96025b3 (\"KVM:\nx86/mmu: Yield in TDU MMU iter even if no SPTES changed\") moved calls to\ntdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still\nincorrectly advance past a top-level entry when yielding on a lower-level\nentry.  But with respect to leaking shadow pages, the bug was introduced\nby yielding before processing the current gfn.\r\n\r\nAlternatively, tdp_mmu_iter_cond_resched() could simply fall through, or\ncallers could jump to their \"retry\" label.  The downside of that approach\nis that tdp_mmu_iter_cond_resched() _must_ be called before anything else\nin the loop, and there's no easy way to enfornce that requirement.\r\n\r\nIdeally, KVM would handling the cond_resched() fully within the iterator\nmacro (the code is actually quite clean) and avoid this entire class of\nbugs, but that is extremely difficult do wh\n---truncated---(CVE-2021-47094)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()\r\n\r\nSili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.\r\n\r\nGetting a reference on the socket found in a lookup while\nholding a lock should happen before releasing the lock.\r\n\r\nnfc_llcp_sock_get_sn() has a similar problem.\r\n\r\nFinally nfc_llcp_recv_snl() needs to make sure the socket\nfound by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in diNewExt\r\n\r\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\r\n\r\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\r\n\r\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\r\n\r\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).(CVE-2023-52599)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix uaf in jfs_evict_inode\r\n\r\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\r\n\r\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.(CVE-2023-52600)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: fix array-index-out-of-bounds in dbAdjTree\r\n\r\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/(CVE-2023-52601)\r\n\r\nInteger Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.(CVE-2024-23307)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntomoyo: fix UAF write bug in tomoyo_write_control()\r\n\r\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held.  Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.(CVE-2024-26622)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nllc: call sock_orphan() at release time\r\n\r\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\r\n\r\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\r\n\r\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\r\n\r\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n <TASK>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0xc4/0x620 mm/kasan/report.c:488\n  kasan_report+0xda/0x110 mm/kasan/report.c:601\n  list_empty include/linux/list.h:373 [inline]\n  waitqueue_active include/linux/wait.h:127 [inline]\n  sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n  sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n  skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n  skb_release_all net/core/skbuff.c:1092 [inline]\n  napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n  e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n  e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n  e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n  __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n  napi_poll net/core/dev.c:6645 [inline]\n  net_rx_action+0x956/0xe90 net/core/dev.c:6778\n  __do_softirq+0x21a/0x8de kernel/softirq.c:553\n  run_ksoftirqd kernel/softirq.c:921 [inline]\n  run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n  smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n  kthread+0x2c6/0x3a0 kernel/kthread.c:388\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n </TASK>\r\n\r\nAllocated by task 5167:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:314 [inline]\n  __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3813 [inline]\n  slab_alloc_node mm/slub.c:3860 [inline]\n  kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n  alloc_inode_sb include/linux/fs.h:3019 [inline]\n  sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n  alloc_inode+0x5d/0x220 fs/inode.c:260\n  new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n  sock_alloc+0x40/0x270 net/socket.c:634\n  __sock_create+0xbc/0x800 net/socket.c:1535\n  sock_create net/socket.c:1622 [inline]\n  __sys_socket_create net/socket.c:1659 [inline]\n  __sys_socket+0x14c/0x260 net/socket.c:1706\n  __do_sys_socket net/socket.c:1720 [inline]\n  __se_sys_socket net/socket.c:1718 [inline]\n  __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nFreed by task 0:\n  kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n  poison_slab_object mm/kasan/common.c:241 [inline]\n  __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2121 [inlin\n---truncated---(CVE-2024-26625)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\r\n\r\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\r\n\r\nThis can be too heavy in case of recovery, such as:\r\n\r\n - N hardware queues\r\n\r\n - queue depth is M for each hardware queue\r\n\r\n - each scsi_host_busy() iterates over (N * M) tag/requests\r\n\r\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\r\n\r\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\r\n\r\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\r\n\r\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart](CVE-2024-26627)",
+    "cves": [
+      {
+        "id": "CVE-2024-26627",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627",
+        "severity": "High"
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/src/cli.rs b/src/cli.rs
index d31640c..a8ba10b 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -59,11 +59,11 @@ pub struct SaDbCli {
     pub from: String,
 
     /// 输出的 sa db 文件，默认为当前路径下的 sainfos
-    #[arg(long, default_value_t = String::from("sainfos"))]
+    #[arg(long, default_value_t = String::from("cvrf_sainfos.json"))]
     pub sa: String,
 
     /// 输出的 cve db 文件，默认为当前路径下的 cves
-    #[arg(long, default_value_t = String::from("cves"))]
+    #[arg(long, default_value_t = String::from("cvrf_cves.json"))]
     pub cve: String,
 }